Fedora DS Support

Andrew Bartlett abartlet at samba.org
Wed Aug 5 23:35:15 MDT 2009 

On Wed, 2009-08-05 at 15:43 -0400, Endi Sukma Dewata wrote:
> Hello,
> 
> I'm trying to run Samba 4 using Fedora DS backend and found some issues:
> 
> 1. Unsupported Attribute Syntaxes
> 
> Some attribute syntaxes used by Samba aren't supported by FDS, so they need to be mapped into something else. This is what I had to add into the schema-map-fedora-ds-1.0:
> 
> #Printable String as IA5 String
> 1.3.6.1.4.1.1466.115.121.1.44:1.3.6.1.4.1.1466.115.121.1.26
> #UTC Time as Generalized Time
> 1.3.6.1.4.1.1466.115.121.1.53:1.3.6.1.4.1.1466.115.121.1.24
> #DN with String as Directory String
> 1.2.840.113556.1.4.904:1.3.6.1.4.1.1466.115.121.1.15
> #Presentation Address as Directory String
> 1.3.6.1.4.1.1466.115.121.1.43:1.3.6.1.4.1.1466.115.121.1.15
> 
> Are these mappings ok?

While I've not verified the OIDs, the mapping desribed seems reasonable
in principle.  

> 2. SID Generation on Replicated FDS 
> 
> Currently SID is generated by incrementing the nextRid attribute in the domain object. With multiple FDS masters this could lead to race conditions.
> 
> One solution is to use the DNA plugin in FDS (http://directory.fedoraproject.org/wiki/DNA_Plugin). So Samba will just add the new entry into FDS without SID, and the plugin will automatically generate a unique SID. This would require changing the code a little bit, see source4/dsdb/samldb/ldb_modules/samldb.c:
> 
> static int samldb_fill_object(struct samldb_ctx *ac, const char *type)
> {
>     ret = samldb_add_step(ac, samldb_get_parent_domain); // get domain SID and next RID
>     ret = samldb_add_step(ac, samldb_new_sid); // object SID = domain SID + (next RID + 1)
>     ret = samldb_add_step(ac, samldb_check_sid); // check for conflicting SID
>     ret = samldb_add_step(ac, samldb_notice_sid); // increment next RID
> }
> 
> Basically the above 4 lines will have to be skipped when running with
> FDS. Is this a reasonable approach? How is this problem being handled
> when using replicated OpenLDAP backend?

We also need to consider if Samba should instead just implement it's own
distributed RID allocator, using a schema compatible with the one used
by Microsoft.  

We don't currently handle this properly with either backend - the main
thing we would need to do is check that nothing needs to know the SID
chosen before the backend allocates it.

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20090806/cab7de98/attachment.pgp>

More information about the samba-technical mailing list