[IPA] SID allocation using DNA plugin

Andrew Bartlett abartlet at samba.org
Tue Nov 3 20:04:57 MST 2009

On Tue, 2009-11-03 at 21:20 -0500, Dmitri Pal wrote:

> But I was not concerned about IPA in my comment.
> I was concerned more about a customer who has a DS (not IPA) now and wants
> to add Samba 4 on top of it. Would be nice to be able
> to just use what he has if the default tree is RFC compliant.
> In IPA we removed OUs but standard schema has them so the standard
> schema is closer to AD schema than IPA one so IPA is in worse
> situation (for its own reasons).
> Is it possible to not I do not know. You tell me.
> May be it is something that would never be possible and
> even DS user would have to migrate if they want to
> start using Samba 4. I see this a barrier to adoption
> this why I am asking.

So, my 'evil plan' has been to work with Endi to make as much of his
work viable for this exact thing.  That is, by using SambaSID and other
'existing' attributes and objectClass names as much as possible, another
talented individual may be able to complete enough of the mappings (and
adjust their schema for the rest) such that this works.

For example, we can emulate instanceType (it follows strict rules, only
distinguishing partition heads - which we know at runtime).  We can
store extra information such as the ntSecurityDescriptor, we can relax
the rules around 'person' on the DS side and and we can map the
sambaNTPassword into the unicodePwd, the uid to samAccountName. 

It remains a lot of work, but the benefits are equally high.   We also
have the ldb_map code which is underutilised in the current code, but
still works (by the very good fortune of having a testsuite). 

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20091104/81b2d7af/attachment.pgp>

More information about the samba-technical mailing list