Windows and Unix integration - was 'Add external-schema directory'
william at blackhats.net.au
Mon Apr 30 21:39:34 UTC 2018
On Mon, 2018-04-30 at 07:58 +0100, Rowland Penny via samba-technical
> On Mon, 30 Apr 2018 08:43:43 +0300
> Alexander Bokovoy via samba-technical <samba-technical at lists.samba.or
> > Hi,
> > On ma, 30 huhti 2018, William Brown via samba-technical wrote:
> > > Hi,
> > >
> > > There are a small number of useful external schemas that we
> > > should
> > > provide. Instead of letting admins pull these from the internel
> Why not, Windows does.
Sorry, I don't believe this is an appropriate attitude in response to
If people want that experience then they are free to
* Choose not to utilise this resource - I'm not proposing that the
schema is applied by default.
* Continue to use windows DC's - again choosing not to use this option.
There is a broader picture here however. I am trying to consider this
as an accesibility change that improves the experience for
administrators interested in the Unix integration functionality of
Samba DC's. Making samba "easier to use" than the Windows DC option is
an attractive change (to me personally) as it will help to encourage
people to utilise it in different situations than people classically
have considered. For example, by making it simpler to provide ssh
public key distribution schema, people can use SUSE/RHEL/Debian with
SSSD, and enjoy the benefits of a single identity store (Samba AD) and
the benefits of a unix directory (distributed ssh keys).
As well I'm also looking to this as a migration process. Many business
applications still require and link to certain attributes. In my case
it's nsUniqueId, in others it may be entryUUID, or even ipaUniqueId.
Being able to support these attributes on objects means people can
perform a migration from 389DS/OpenLDAP/IPA to Samba AD, without
breaking their applications UUID links that exist.
This is a change that is looking beyond just "what does Windows do",
but is looking at answering "What is required for Unix to be a first
class client in a Samba AD environment".
Today this is just proposing some schema templates. But in the future I
think that some larger questions of support for things like UUID
generation and compatability should be proposed as a "bonus extra" to
the Samba project.
Who knows - maybe having easily accessible tooling and schema will be
the deciding factor between "Do we keep using windows DCs" or "Maybe we
should use Samba as it's easier".
More information about the samba-technical