[Samba] A few questions and propostions on the samba architecture

Rowland Penny rpenny at samba.org
Fri Jul 13 09:59:17 UTC 2018 

On Fri, 13 Jul 2018 11:14:02 +0200
Anton Engelhardt via samba <samba at lists.samba.org> wrote:

> That explains why there is so little information on ldb and sqlite.
> 
>  From my pov sqlite just seemed interesting, as it has a well known 
> syntax and the ability to embedd a transparent logic layer. As there
> is no effort to use sqlite (or sql) in the future , I just burried
> that path.
> 
> As for compability I would strongly suggest to stay where Microsoft
> left off, before killing the "UNIX Attributes" tab in Windows10 RSAT.
> CN=samdom,CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System
> msSFU30MaxGidNumber
> msSFU30MaxUidNumber
> msSFU30OrderNumber

They are the attributes that ADUC uses and Samba doesn't. The fear is
that the same ID could be used for two users (or groups) if they were
created on different DC's at the same time. The sheer fact that nobody
has complained of this problem when using ADUC, has nothing to do with
the problem.

> 
> I understand the disire too keep things as compatible as possible,
> but on the other hand open source software usually offers way more
> flexibility.
> 
> in my head there are 2 solutions, which should be completly client 
> compatible and introduce no behavioral change:
> 
>  1. interval poll all class=user objects where uid=NULL, get values
> from above mentioned entries, compose an update transaction (thats the
>     "Just write a powershell script" variant)
>  2. same as 1, just with some sort of trigger (or better filtered
>     subscriptions) for external scripts in samba
>

I personally have always thought that samba-tool should mirror what
ADUC does. You create a basic user, then add other attributes e.g.
RFC2307 attributes with something that works in the same way as the
'UNIX Attributes' tab.
You should also be able to do all this at the same time, which you can
almost do at the present, the only problem is '*idNumber' attribute,
you have, at present, to scribble this on a piece of paper, use what
is on the paper with 'samba-tool user create' and then update the
number on the paper.

> What I also have in mind with this architecture would be something
> like password tokens, but keep in mind this is just a thought.
> 
> The password passed on to ldap auth could be, if the user has an 
> attriblue like "requreToken", stripped of like the last 6 chars,
> which represent the token. The password is matched against the hased
> password in the ldap user entry, the token is processed in an
> external app, if both are a success, login is fine. This propably
> would require kerberos tickets, as the password is constantly
> changing, but would introduce a lot of flexibility, for those who
> dare.
> 
> In terms of internal scripting, is there already anything in samba?

Only on my PC ;-)

Rowland

>

More information about the samba mailing list