[Samba] Group Mapping in MySQL backend

[Bjoern Scheuermann]

Hi Jelmer,

thanks for your reply!

> > > are there any plans to add some support for storing not only user
> > > information, but also group mappings in the MySQL passdb backend? Or
> > > are there problems I'm not aware of why this cannot be done?
>
> After I finish the registry library work, this is one of the things I'm
> going to look at next. Could take a few months though...
>
> > I'd maybe be willing to try doing this on my own, if sombeody could give
> > me some hints on how to start. Is it just the implementation of the
> > methods for storing and retrieving the group mappings which I've found in
> > the LDAP backend code? Or is there anything more to do?
>
> Yep, that's all.

Doesn't seem to be much of a problem then, maybe I'll really try this. I have 
to finish some other stuff first, too; maybe in two or three weeks.

I also consider a little patch for being able to use one single table for 
nss_mysql's and samba's data. More precise, I don't want smbpasswd -a or a 
samba domain join to fail if a row with the given UID/username already 
exists, but rather to fill the "samba-columns", i.e. doing an UPDATE instead 
of an INSERT, if the ID already exists.

> > > And - by the way - is there any reason why pdb_mysql should not (yet)
> > > be used in larger installations (several hundert clients), or why
> > > several servers shouldn't share one common database? Are there any
> > > experiences regarding such installations, or are any problems already
> > > known?
> >
> > Nobody using it with more than a few users/clients?
> > What a pitty...
>
> There are a couple of large installations out there. It's just that LDAP
> is more commonly used for user databases. Other reasons might be:
>
> - libnss_mysql doesn't work very well (at least, last time I tried it)

Works fine for me at the moment, although just in a really small experimental 
setup. Do you have some more information on what kind of problems occured? 
Maybe I could do some more specific tests then.

> - user databases are most of the time read-only operations, something
> LDAP is optimized for
> - Easier extension of fields stored for users - it's easy to add a
> schema, while in MySQL you would have to modify your table.

We're working on an authentication scheme for server installations in schools, 
and we'll regularly have some quite complicated and large-scale automated 
modifications in the user and group structure -- at least once a year. 
Additionally we have some privilege-related user- and group-metadata with 
various kinds of relations, which doesn't fit into a tree structure very well 
and gets updated quite often.
Therefore we got the idea of putting it all into a SQL database.


Bjoern