Backend documentation?

Yoann Gini yoann.gini at gmail.com
Sat Apr 13 02:45:05 MDT 2013


Hello Andrew, hello Scott,

Thanks for your answer.

Le 13 avr. 2013 à 00:27, Andrew Bartlett <abartlet at samba.org> a écrit :

> It should be possible to just forward-port the code Apple used with
> Samba 3.0 (which they published per the GPL) and use that in later
> versions.  The APIs involved haven't changed drastically in later
> versions, but it will require work. 

I’ve already look the Apple source code for their Samba version, and it use the local directory service to run. So, the problem with that solution is we need to install it on a OS X, in place of SMBX, this is not a really update proof solution.

That's why I look to make a UNIX box on a side to make an adapter to translate AD to OD.

> Of course, you are free to re-implement this as well.  My understanding
> is that OpenDirectory 'just' looks like a normal pdb_ldap (so wouldn't
> require major changes), and the auth module could be rewritten based on
> auth_winbind for example. 

Thanks a lot for the indication about pdb_ldap and auth_winbind, that’s what I looking for. I will study that.

A step forward, how do you register backend extension in Samba? On CentOS I’ve seen that backend for idmap are simple .so file on the disk. It’s the same for pdb and auth?

> The issue is things like password changes, which required an intensive
> patch to the code, which like Apple's other changes, never got submitted
> upstream.  

It depends of the Samba architecture. At a time in Samba, you should got the new password in clear text to be able to hash it in different ways? So it should be possible some how to forward it to the Apple PasswordService.

> Another approach which could be very interesting would be to use the
> Heimdal code in Samba 4.0 to directly read the passwords from the MIT
> KDC databases. 
> 
> However, frankly, these cavet's on fork() make a number of us wonder
> about if Samba is long-term viable on OSX:
> https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man2/fork.2.html
> 
> Other Samba users have successfully completed (via the MIT KDC key
> store) a migration from OpenDirectory to Samba 4.0 as an AD DC. 

That’s not a acceptable way to go for me and my clients. We use OS X Server and OpenDirectory as a directory service because it’s lowcost, really easy to use and robust, created on really simple standard and powerful. It don’t have to be so complex like the AD DC. And my client are manly OS X based. For example, the one for who I look here is a small business with 200 Macs and 2 TS server. Go on the AD complexity for only 2 TS server isn’t a good way to go…


More information about the samba-technical mailing list