systemd userdb: USER_RECORD IDM Extensions

Andreas Schneider asn at samba.org
Mon Feb 10 08:48:38 UTC 2025 

Hi,

I would like to open a discussion about the varlink interface Samba plans to 
provide for the systemd userdb interface.

An initial implementation is alsmot ready at:
https://gitlab.com/samba-team/samba/-/merge_requests/2928

As we have pretty much similar things as sssd provides, we should agree on the 
additional things we want to provide in the public and or privileged section 
of the user record.



# USER_RECORD IDM Extensions

For winbind and sssd we want to extend the systemd USER_RECORD. This is 
allowed by systemd as long as they are prefixed. We should coordinate what we 
want to put there.

Please watch Lennart his talk about userdb at FOSDEM:
https://video.fosdem.org/2025/ua2118/fosdem-2025-5071-systemd-s-user-database-api.av1.webm

## Username

Windind and SSSD should use the same username and probably the best is to use
<username>@REALM instead of <DOMAIN><seperator><username>. systemd has user/
group name syntax checking https://systemd.io/USER_NAMES/. We should keep it 
simple and just use the `@`. Then we can update the document and or code to
reflect this.

## Public attributes

* idmSecurityIdentifier (SID of the user)
* idmMemberOf (list of SIDs)

Is there anything else an application really would need in the public 
interface?


## Privileged attributes

We might want to add privileged fields for mimicking IPA passwordless methods. 
So far here are just some things we brainstormed from the IPA side.

OIDC integration:
 - OIDC client / secret
 - IdP information (URIs)
 - IdP user identity
 - IdP attribute to check the identity

Passkey integration
 - passkey (similar to SSH public key)
 - userverification flag
 - assertion info

RADIUS integration
 - RADIUS server info
 - RADIUS server credential
 - RADIUS user identity

OTP integration
 - OTP token details (TOTP/HOTP)
 - validity of the token



-- 
Andreas Schneider                      asn at samba.org
Samba Team                             www.samba.org
GPG-ID:     8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D

More information about the samba-technical mailing list