Fedora DS Support
abartlet at samba.org
Wed Aug 5 23:35:15 MDT 2009
On Wed, 2009-08-05 at 15:43 -0400, Endi Sukma Dewata wrote:
> I'm trying to run Samba 4 using Fedora DS backend and found some issues:
> 1. Unsupported Attribute Syntaxes
> Some attribute syntaxes used by Samba aren't supported by FDS, so they need to be mapped into something else. This is what I had to add into the schema-map-fedora-ds-1.0:
> #Printable String as IA5 String
> #UTC Time as Generalized Time
> #DN with String as Directory String
> #Presentation Address as Directory String
> Are these mappings ok?
While I've not verified the OIDs, the mapping desribed seems reasonable
> 2. SID Generation on Replicated FDS
> Currently SID is generated by incrementing the nextRid attribute in the domain object. With multiple FDS masters this could lead to race conditions.
> One solution is to use the DNA plugin in FDS (http://directory.fedoraproject.org/wiki/DNA_Plugin). So Samba will just add the new entry into FDS without SID, and the plugin will automatically generate a unique SID. This would require changing the code a little bit, see source4/dsdb/samldb/ldb_modules/samldb.c:
> static int samldb_fill_object(struct samldb_ctx *ac, const char *type)
> ret = samldb_add_step(ac, samldb_get_parent_domain); // get domain SID and next RID
> ret = samldb_add_step(ac, samldb_new_sid); // object SID = domain SID + (next RID + 1)
> ret = samldb_add_step(ac, samldb_check_sid); // check for conflicting SID
> ret = samldb_add_step(ac, samldb_notice_sid); // increment next RID
> Basically the above 4 lines will have to be skipped when running with
> FDS. Is this a reasonable approach? How is this problem being handled
> when using replicated OpenLDAP backend?
We also need to consider if Samba should instead just implement it's own
distributed RID allocator, using a schema compatible with the one used
We don't currently handle this properly with either backend - the main
thing we would need to do is check that nothing needs to know the SID
chosen before the backend allocates it.
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: This is a digitally signed message part
More information about the samba-technical