Windows and Unix integration - was 'Add external-schema directory'

Tue May 1 07:38:47 UTC 2018

On Tue, 01 May 2018 09:39:34 +1200
William Brown <william at blackhats.net.au> wrote:

> On Mon, 2018-04-30 at 07:58 +0100, Rowland Penny via samba-technical
> wrote:
> > On Mon, 30 Apr 2018 08:43:43 +0300
> > Alexander Bokovoy via samba-technical
> > <samba-technical at lists.samba.or
> > g>
> > wrote:
> > 
> > > Hi,
> > > 
> > > On ma, 30 huhti 2018, William Brown via samba-technical wrote:
> > > > Hi,
> > > > 
> > > > There are a small number of useful external schemas that we
> > > > should
> > > > provide. Instead of letting admins pull these from the internel
> > 
> > Why not, Windows does.
> > 
> 
> Sorry, I don't believe this is an appropriate attitude in response to
> my proposal.
> 
> If people want that experience then they are free to
> 
> * Choose not to utilise this resource - I'm not proposing that the
> schema is applied by default.
> * Continue to use windows DC's - again choosing not to use this
> option.
> 
> There is a broader picture here however. I am trying to consider this
> as an accesibility change that improves the experience for
> administrators interested in the Unix integration functionality of
> Samba DC's. Making samba "easier to use" than the Windows DC option is
> an attractive change (to me personally) as it will help to encourage
> people to utilise it in different situations than people classically
> have considered. For example, by making it simpler to provide ssh
> public key distribution schema, people can use SUSE/RHEL/Debian with
> SSSD, and enjoy the benefits of a single identity store (Samba AD) and
> the benefits of a unix directory (distributed ssh keys). 
> 
> As well I'm also looking to this as a migration process. Many business
> applications still require and link to certain attributes. In my case
> it's nsUniqueId, in others it may be entryUUID, or even ipaUniqueId.
> Being able to support these attributes on objects means people can
> perform a migration from 389DS/OpenLDAP/IPA to Samba AD, without
> breaking their applications UUID links that exist. 
> 
> This is a change that is looking beyond just "what does Windows do",
> but is looking at answering "What is required for Unix to be a first
> class client in a Samba AD environment".
> 
> Today this is just proposing some schema templates. But in the future
> I think that some larger questions of support for things like UUID
> generation and compatability should be proposed as a "bonus extra" to
> the Samba project.
> 
> Who knows - maybe having easily accessible tooling and schema will be
> the deciding factor between "Do we keep using windows DCs" or "Maybe
> we should use Samba as it's easier".
> 
> Thanks,
> 
> William

Provided that what you are proposing can be ignored, I can accept it.

Yes, whilst 'windows does it' isn't really a good argument, you have to
remember that if people want to do things that Samba denies, but
Windows allows, they will just use Windows to do them.

Rowland