[Samba] A few questions and propostions on the samba architecture

Andrew Bartlett abartlet at samba.org
Fri Jul 13 09:40:15 UTC 2018

On Fri, 2018-07-13 at 11:14 +0200, Anton Engelhardt via samba wrote:
> That explains why there is so little information on ldb and sqlite.
>  From my pov sqlite just seemed interesting, as it has a well known 
> syntax and the ability to embedd a transparent logic layer. As there is 
> no effort to use sqlite (or sql) in the future , I just burried that path.
> As for compability I would strongly suggest to stay where Microsoft left 
> off, before killing the "UNIX Attributes" tab in Windows10 RSAT.
> CN=samdom,CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System
> msSFU30MaxGidNumber
> msSFU30MaxUidNumber
> msSFU30OrderNumber

It isn't possible to do safe domain-wide atomic updates of those
values.  Sorry.

> I understand the disire too keep things as compatible as possible, but 
> on the other hand open source software usually offers way more flexibility.
> in my head there are 2 solutions, which should be completly client 
> compatible and introduce no behavioral change:
>  1. interval poll all class=user objects where uid=NULL, get values from
>     above mentioned entries, compose an update transaction (thats the
>     "Just write a powershell script" variant)
>  2. same as 1, just with some sort of trigger (or better filtered
>     subscriptions) for external scripts in samba
> What I also have in mind with this architecture would be something like 
> password tokens, but keep in mind this is just a thought.
> The password passed on to ldap auth could be, if the user has an 
> attriblue like "requreToken", stripped of like the last 6 chars, which 
> represent the token. The password is matched against the hased password 
> in the ldap user entry, the token is processed in an external app, if 
> both are a success, login is fine. This propably would require kerberos 
> tickets, as the password is constantly changing, but would introduce a 
> lot of flexibility, for those who dare.

389ds does something like that.  

> In terms of internal scripting, is there already anything in samba?

Not in the LDB layer.  The closest is the check password script hook,
which is severely restricted due to running with the transaction lock

Andrew Bartlett
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba mailing list