[Samba] A few questions and propostions on the samba architecture

Rowland Penny rpenny at samba.org
Fri Jul 13 08:46:05 UTC 2018

On Fri, 13 Jul 2018 20:25:47 +1200
Andrew Bartlett via samba <samba at lists.samba.org> wrote:

> On Fri, 2018-07-13 at 09:36 +0200, Anton Engelhardt via samba wrote:
> > Due to a few problems I encountered I had a tiny look at the samba
> > code and gut a few questions, statements and propositions. Please
> > by all means, correct me if I got something wrong.
> > 
> >  1. besides filestore for shares and config files samba uses ldb as
> > an exclusive storage backend
> >      1. LDB supports TDB, LDAP and SQLITE3 backend
> >      2. Samba hard codes to TDB files like "sam.ldb"
> >  2. ldap does not support any server side actions
> >      1. Not possible to implement "on create class user
> >         uidNumber=get_next_free_uid()"
> >      2. Only possible to define required/optional attributes
> >      3. ldap service is provided trough ldb-ldap -> tdb
> > 
> > I don't know if it is a good idea, but when using something like
> > sqlite3 it would be possible to use "CREATE TRIGGER", to perform
> > some automation magic on server side, like giving out uidNumber and
> > gidNumber.
> > 
> > Or even use "CREATE VIEW" with "CREATE TRIGGER" to implement fancy
> > stuff like server side transparent password token validation.
> > 
> > Depending on my undarstanding of the current architecture and the
> > state of the ldb sqlite backend this would seem like the easiest
> > approach, correct me if I'm too far off.
> Using ldb_sqlite wouldn't help, as we don't use it in a smart way, it
> was added (and then left unmaintained, we really should remove it) in
> the hope of getting transaction support, but instead that was gained
> via tdb.
> The uidNumber and gidNumber changes you desire are reasonable, and we
> could do those in the samldb module or similar.  We haven't done so
> because:
>  - at the time we were trying to match Windows AD behaviour exactly.  
>  - the allocation needs to be stateless or manage the free id pool
> like the RID pool.
> (Because we need to ensure that two users created at the same time on
> different servers don't overlap uids)

Yes, but we still could have this problem if ADUC is installed on two
Windows PC's and two people create a user at the same time. Not that we
would have this problem on Win10 though.
> My preference is to have these modules use the same RID+offset
> algorithm that sssd uses, and leverage the RID as a unique value.

Yes the RID would be unique, but the offset might not be, so you
could get collisions.
> The key would be to make this relatively compatible with the settings
> used in winbindd on the file server, so if that RID base were
> inappropriate another could be chosen via idmap_rid.

How about this, dump EVERY winbind backend except 'rid' and then obtain
the lower range at provision time.


More information about the samba mailing list