your s3-auth branch

tridge at tridge at
Thu Aug 12 00:30:19 MDT 2010

Hi Simo,

 > Because the AD DC case is not the only case we need to support, there is the NT4 style DC,
 > the member server, the standalone server and probably more.


 > The RPC interfaces are set in stone and we always need to get them right anyway, so using
 > them allows us much more flexibility.

I don't follow that logic. How does a "set in stone" API offer
"flexibility" ?

 > We can use a samr daemon/implementation in the AD DC case and
 > another one in the member server case. And I plan to use yet
 > another implementation or something based on the current ldapsam in
 > S3 for my trust-rel work in IPA.

and when the time comes that you want an attribute of the user that is
not exposed over SAMR or LSA (there are plenty of those!) then what do
you do?

 > RPC interfaces makes any of this *much*, *much* simpler, and avoid
 > layering leaks and shortcuts that made our code such a mess in the
 > past and we are still fighting to clean up.

yes, the auto-generated nature of RPC with IDL is great, but the fixed
nature of SAMR/LSA in a world where the actual attributes of users is
changing isn't.

If we want to use an externally defined API and we also want to ensure
we can support all the user attributes that we will need into the
future then really we need to choose LDAP.

Cheers, Tridge

More information about the samba-technical mailing list