[Samba] A few questions and propostions on the samba architecture

Fri Jul 13 10:57:17 UTC 2018

On Fri, 13 Jul 2018 11:32:39 +0200
Anton Engelhardt <engelhardt.anton at gmail.com> wrote:

> Got it, SQLITE3 KDB is dead.
> 
> While scripting is always a solution, not having events and simply 
> binding them to an interval seems inefficient and open source gives
> us the opportunity to solve things the "proper" way. I know, there
> are people who love to Bodge.
> 
> As for the windows tools, assume I really rely on UID and GID for
> e.g. dovecot, setting up an account from the wrong machine, wrong
> user context would leave those fields blank.
> IMHO automation is key, especially if you scale up your environment. 
> Avoid human error at any cost, as humans ûsually don't think too much 
> before they do.
> 
> What I mean by "Only possible to define required/optional attributes"
> is that LDAP offers CRUD, without any modification of the provided
> data on read/write trough methods. There are no constrains like in
> SQL.
> 
> SQL "CREATE VIEW" + "CREATE TRIGGER" is a very powerfull method of 
> transparently running methods on data that is red or written in a
> table. Transparent is key here, that's why I mentioned it. It's not
> related to check the password complexity.
> 
> 
> Am 13.07.2018 um 10:29 schrieb Rowland Penny via samba:
> > On Fri, 13 Jul 2018 09:36:14 +0200
> > Anton Engelhardt via samba <samba at lists.samba.org> wrote:
> >
> >> Due to a few problems I encountered I had a tiny look at the samba
> >> code and gut a few questions, statements and propositions. Please
> >> by all means, correct me if I got something wrong.
> >>
> >>   1. besides filestore for shares and config files samba uses ldb
> >> as an exclusive storage backend
> >>       1. LDB supports TDB, LDAP and SQLITE3 backend
> >>       2. Samba hard codes to TDB files like "sam.ldb"
> > There is ongoing work to use LDAP instead of LDB, but it is very
> > much a WIP, I do not know of any woek to use SQLITE3.
> >
> >>   2. ldap does not support any server side actions
> >>       1. Not possible to implement "on create class user
> >>          uidNumber=get_next_free_uid()"
> > Well no, but you can add a couple of attributes (Which are added and
> > used if you create users & groups from Windows ADUC) and then write
> > a script around 'samba-tool user create'
> >
> >>       2. Only possible to define required/optional attributes
> > Not sure what you mean here, surely being able to update the schema
> > is a good thing.
> >
> >>       3. ldap service is provided trough ldb-ldap -> tdb
> >>
> >> I don't know if it is a good idea, but when using something like
> >> sqlite3 it would be possible to use "CREATE TRIGGER", to perform
> >> some automation magic on server side, like giving out uidNumber and
> >> gidNumber.
> > As I said, it can be done, you just need to script it yourself.
> >
> >> Or even use "CREATE VIEW" with "CREATE TRIGGER" to implement fancy
> >> stuff like server side transparent password token validation.
> > Samba-tool will tell you if a password doesn't meet the required
> > complexity.
> >
> >> Depending on my undarstanding of the current architecture and the
> >> state of the ldb sqlite backend this would seem like the easiest
> >> approach, correct me if I'm too far off.
> >>
> > I cannot see SQLITE3 ever being used, the LDAP work as been ongoing
> > for years and still doesn't work (last time I heard).
> >
> > Rowland
> >
> 

I have been thinking about the problem of create a user with rfc2307
attributes and have come up with a possible solution.

If you are creating a new user with rfc2307 attributes with samba-tool,
or adding them to an existing user, then carry out the transaction on
the RID Manager FSMO role owner. This should ensure that an ID number
could only be used once. Of course this wouldn't help with ADUC, but,

A) ADUC uses any DC anyway and nobody seems to have complained about
duplicate uidNumber & gidNumber attributes
B) There is no 'UNIX Attributes' tab in Win10

Comments ?

Rowland