Google Summer of Code

Andrew Bartlett abartlet at
Tue Apr 1 03:00:51 GMT 2008

On Sun, 2008-03-30 at 12:23 +0200, hotte.schibullek at wrote:
> > -----Ursprüngliche Nachricht-----
> > Von: "Timo Wingender" <timowi.lists at>
> > Gesendet: 29.03.08 23:34:09
> > An: Andrew Bartlett <abartlet at>
> > CC: samba-technical at
> > Betreff: Re: Google Summer of Code
> > 
> > Andrew Bartlett schrieb:
> > > On Thu, 2008-03-27 at 20:01 +0100, Timo Wingender wrote:
> > >   
> > >> Hash: SHA1
> > >>
> > >> I like to participate in Google Summer of Code this year. I am 
> > >> especially interested in development of samba4 with LDAP-backend. 
> > >>     
> > >
> > > This is a very interesting, but frustrating and painful area.  If you
> > > are up for it, then it could be a great contribution, because I'm pretty
> > > much burnt out from working on it for so long. 
> > >   
> > I know ldap is not an easy area. I have some experiences in setting up 
> > samba3 with an LDAP. But it is an relative difficult task to set it up 
> > and to debug it. You need much knowledge of ldap and samba to set it up. 
> > I think this could be much easier.
> > I am willing to put much effort in learning more about ldap and samba. I 
> > think ldap is the best way to manage users.
> > 
> > > See my post on the LDAP backend above.  
> > >
> > >   
> > >> But I 
> > >> have no overview over the current state of samba4. Reimplementing 
> > >> something from samba3 is also a possibility. Any recommendations for a 
> > >> small project which can be done in 3 month?
> > >>     
> > >
> > > One interesting but difficult project would be to move the DRSUAPI
> > > replication protocols from a one-way demo to a full, tested (ie include
> > > multi-server testsuite) two-way replication with AD.  This would include
> > > changes to LDB to cope with the increased requirements of DRSUAPI
> > > replication (container objects are represented twice, linked attributes
> > > need more metadata).
> > >
> i think the ADS-compability of samba4 has already reached a point 
> where most useful things work (no more significant problems to join
> win-machines to a domain or administrate samba4-DCs with dsa.msc).
> at this stage of development it should be an general question if to re-invent
> the wheel again

What makes you say 'again'.  The wheel is already well re-invented :-)

>  with ldb or consequently move to a standard-ldap-DS and
> focus the work an some missing features/extensions (e.g. memberof-overlay
> in openldap) to implement the missing ADS-features.

While we know this is possible (XAD proves it is), the LDAP backend
question is far more complex than just a few features and extensions.
Even getting to the state where Samba4 provides only some munging and
mapping as a proxy to OpenLDAP has taken 2 years of my time.  

> > > Another similar project might be to implement windows 2008 'read only
> > > DC' functionality in Samba4.  This might be 'safer' than the two-way
> > > replication, but includes a lot of links that we would need to implement
> > > to pass off all secrets handling (including RPCs for verifying NTP
> > > packets, passwords etc). 
> One-way Replication -the normal (delta-)syncrepl-mode in Openldap-
> has already everything needed für the 'super-new' w2k8-"feature"
> (seems the redmonder guys have at last unterstood the x.500-principles
> and advantages of a single rw-master)

No, they just needed a mode suitable for installation into local
untrusted branch offices, where the local staff should not have access
to the passwords of the entire enterprise. 

> another point is, that the DS on the linux/unix-side should be painless usable
> and extendable for other opensource-standard-applications.

This remains the fundamental challenge.  

> as howard mentioned before, it might be not the best way
> to create a completely new DS application with unknown security
> holes, only to follow all the steps of the redmonder guys.
> samba4 serves now all xp clients, and xp clients will be the biggest
> part of all win-networks for the next 4-5 years, maybe longer. 
> openldap or FDS can do nearly all of the replication work in a stable way
> either one-way or multi-master. 
> so this should be the direction, not drsuapi

Can we work with the assumption that all users of Samba4 want to start
from scratch?  

No large organisation moves quickly, even to something as good as
Samba4.  Having modes of operation (DRSUAPI repliation) that allow a
partial transition will be critical. 

The read only DC mode could allow us to join an AD domain, secure in the
knowledge that we can't screw it up to badly :-)

Andrew Bartlett

Andrew Bartlett
Authentication Developer, Samba Team 
Samba Developer, Red Hat Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :

More information about the samba-technical mailing list