[Samba] A few questions and propostions on the samba architecture

Anton Engelhardt engelhardt.anton at gmail.com
Fri Jul 13 09:32:39 UTC 2018


Got it, SQLITE3 KDB is dead.

While scripting is always a solution, not having events and simply 
binding them to an interval seems inefficient and open source gives us 
the opportunity to solve things the "proper" way. I know, there are 
people who love to Bodge.

As for the windows tools, assume I really rely on UID and GID for e.g. 
dovecot, setting up an account from the wrong machine, wrong user 
context would leave those fields blank.
IMHO automation is key, especially if you scale up your environment. 
Avoid human error at any cost, as humans ├╗sually don't think too much 
before they do.

What I mean by "Only possible to define required/optional attributes" is 
that LDAP offers CRUD, without any modification of the provided data on 
read/write trough methods. There are no constrains like in SQL.

SQL "CREATE VIEW" + "CREATE TRIGGER" is a very powerfull method of 
transparently running methods on data that is red or written in a table. 
Transparent is key here, that's why I mentioned it. It's not related to 
check the password complexity.


Am 13.07.2018 um 10:29 schrieb Rowland Penny via samba:
> On Fri, 13 Jul 2018 09:36:14 +0200
> Anton Engelhardt via samba <samba at lists.samba.org> wrote:
>
>> Due to a few problems I encountered I had a tiny look at the samba
>> code and gut a few questions, statements and propositions. Please by
>> all means, correct me if I got something wrong.
>>
>>   1. besides filestore for shares and config files samba uses ldb as an
>>      exclusive storage backend
>>       1. LDB supports TDB, LDAP and SQLITE3 backend
>>       2. Samba hard codes to TDB files like "sam.ldb"
> There is ongoing work to use LDAP instead of LDB, but it is very much a
> WIP, I do not know of any woek to use SQLITE3.
>
>>   2. ldap does not support any server side actions
>>       1. Not possible to implement "on create class user
>>          uidNumber=get_next_free_uid()"
> Well no, but you can add a couple of attributes (Which are added and
> used if you create users & groups from Windows ADUC) and then write a
> script around 'samba-tool user create'
>
>>       2. Only possible to define required/optional attributes
> Not sure what you mean here, surely being able to update the schema is
> a good thing.
>
>>       3. ldap service is provided trough ldb-ldap -> tdb
>>
>> I don't know if it is a good idea, but when using something like
>> sqlite3 it would be possible to use "CREATE TRIGGER", to perform some
>> automation magic on server side, like giving out uidNumber and
>> gidNumber.
> As I said, it can be done, you just need to script it yourself.
>
>> Or even use "CREATE VIEW" with "CREATE TRIGGER" to implement fancy
>> stuff like server side transparent password token validation.
> Samba-tool will tell you if a password doesn't meet the required
> complexity.
>
>> Depending on my undarstanding of the current architecture and the
>> state of the ldb sqlite backend this would seem like the easiest
>> approach, correct me if I'm too far off.
>>
> I cannot see SQLITE3 ever being used, the LDAP work as been ongoing for
> years and still doesn't work (last time I heard).
>
> Rowland
>




More information about the samba mailing list