[Samba] A few questions and propostions on the samba architecture

Anton Engelhardt engelhardt.anton at gmail.com
Fri Jul 13 22:21:06 UTC 2018

It's not possible to do safe domain-wide atomic updates, now.

I'll make a few generic assuptions, as I'm unfortunatly not that deep 
into the actual implementation. "What would Microsoft do" is a good 
question, afaik they bypassed that problem by prepending a unique server 
prefix in front of the generated part of the SID.

Assuming there is a primary DC and a backup DC, a "ldap create object 
class user with uidNumber = NULL" gets executed:

 1. on the primary dc. Primary DC is samba and aware of its PDC
    position. Does an transaction updating the msSFU30MaxGidNumber,
    assigning it to the user.
 2. on the backup dc. BDC does nothing but replicate to the PDC. PDC
    picks up replicated "create user transaction", does its joba as in 1
 3. on the backup dc. Primary DC is Microsoft. Nothing happens, as this
    is a samba only feature ;-)

There always is a scenario of a netsplit, leaving both DCs in a PDC 
position, at least I assume that, as this is always a possibility. I 
think the key with this concept is to restrict those "atomic updates" to 
the active pdc. Having two active PDCs at any given time is very bad afaik.

Furthermore it could be possible to create a samba only hirarchy of PDC 
and BDC, therefor there would be something like a SAMBA-PDC and 
SAMBA-BDC state, which is independant of the PDC BDC state itself. To 
avoid issue in point 3 a BDC running samba, which has the "primary among 
samba", would be the one to do the atomic transaction and then replicate 
the changes.

Am 13.07.2018 um 11:40 schrieb Andrew Bartlett:
> On Fri, 2018-07-13 at 11:14 +0200, Anton Engelhardt via samba wrote:
>> That explains why there is so little information on ldb and sqlite.
>>   From my pov sqlite just seemed interesting, as it has a well known
>> syntax and the ability to embedd a transparent logic layer. As there is
>> no effort to use sqlite (or sql) in the future , I just burried that path.
>> As for compability I would strongly suggest to stay where Microsoft left
>> off, before killing the "UNIX Attributes" tab in Windows10 RSAT.
>> CN=samdom,CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System
>> msSFU30MaxGidNumber
>> msSFU30MaxUidNumber
>> msSFU30OrderNumber
> It isn't possible to do safe domain-wide atomic updates of those
> values.  Sorry.
>> I understand the disire too keep things as compatible as possible, but
>> on the other hand open source software usually offers way more flexibility.
>> in my head there are 2 solutions, which should be completly client
>> compatible and introduce no behavioral change:
>>   1. interval poll all class=user objects where uid=NULL, get values from
>>      above mentioned entries, compose an update transaction (thats the
>>      "Just write a powershell script" variant)
>>   2. same as 1, just with some sort of trigger (or better filtered
>>      subscriptions) for external scripts in samba
>> What I also have in mind with this architecture would be something like
>> password tokens, but keep in mind this is just a thought.
>> The password passed on to ldap auth could be, if the user has an
>> attriblue like "requreToken", stripped of like the last 6 chars, which
>> represent the token. The password is matched against the hased password
>> in the ldap user entry, the token is processed in an external app, if
>> both are a success, login is fine. This propably would require kerberos
>> tickets, as the password is constantly changing, but would introduce a
>> lot of flexibility, for those who dare.
> 389ds does something like that.
>> In terms of internal scripting, is there already anything in samba?
> Not in the LDB layer.  The closest is the check password script hook,
> which is severely restricted due to running with the transaction lock
> held.
> Andrew Bartlett

More information about the samba mailing list