[Samba4] [Patch] Fixes and Improvements to samba3sam

Andrew Bartlett abartlet at samba.org
Thu Nov 16 21:39:00 GMT 2006 

On Thu, 2006-11-16 at 13:01 +0100, Martin Kühl wrote:
> Hi,
> 
> I've made a few improvements (I think) and modifications to the 
> samba3sam
> module while trying to link samba4 to an existing filled LDAP server 
> with the
> samba3 and samba4 schemas loaded.
> 
> Find attached the series of patches to samba3sam.c I generated from this 
> work,
> the purpose of each summarized below:
> 
> - samba3sam-01-val_copy.patch:
>   The `convert_uid_samaccount' function has the same purpose as 
> `val_copy'
>   from entryUUID, so I reused the code.  This is an example of a 
> function that
>   might be added to a hypothetical `ldb_map_convenience' file so it can 
> be
>   reused in mapping modules.

Yeah, that kind of a file would be very useful.

> - samba3sam-02-sid-dont-talloc.patch:
>   Removes unnecessary allocing (which wasn't error checked either) from
>   the encode_sid and decode_sid functions.
> 
> - samba3sam-03-passwd-convert.patch:
>   Changes the mappings for the NT and LM password hash.  Experiments 
> suggested
>   that samba4 stored these as a sequence of 16 bytes while openldap 
> stored
>   them as a string of 32 hex digits.  These functions might not be 
> terribly
>   efficient but should be straightforward to read.

You should be able to find the functions you need in
lib/samba3/smbpasswd.c

> - samba3sam-04-unixName-generate.patch:
>   The current ldb_map doesn't support multiple mappings from a local 
> name to
>   different remote names; this patch changes the "unixName -> uid, 
> uidNumber
>   etc." mappings to a single generator that should work as intended.

I'm confused, do we actually want to have a local name map to multiple
remote names?  

> - samba3sam-05-whitespace-cleanup.patch:
>   The effect of M-x whitespace-cleanup RET: removes trailing whitespace 
> and
>   fixes mixed spaces and tabs in indentations.
> 
> - samba3sam-06-reorder-functions.patch:
>   Reorders the mapping functions so we have parse-tree converters first, 
> value
>   converters next and generators last.  I found this order easier to 
> navigate.
> 
> - samba3sam-07-reorder-attributes.patch:
>   Reorders the attributes so we have ignored ones first, then kept ones,
>   and the rest roughly ordered by "topic" (passwords, posix info, 
> rid/sid).
>   Further suggestions very welcome. :-)

Yeah, these files get long.  Sounds sensible.

> - samba3sam-08-copyright.patch:
>   Adds a copyright line for me.
> 
> The last four patches are concerned with the changes required to 
> eliminate the
> need for a fallback partition and might be less interesting for now.
> 
> - samba3sam-09-unixName-generate-keep.patch:
> - samba3sam-10-groupType-generate.patch:
> - samba3sam-11-objectSid-generate.patch:
>   The unixName, groupType and objectSid attributes are required due to
>   objectclass constraints for samba4 objects; these patches modify their
>   mappings so they will be kept in the remote partition as-is.  The 
> parse-tree
>   conversion function in fact relies on this behaviour and just leaves 
> trees
>   checking for the local attributes as-is as well.
>   The parse-tree converter and `copy_element' function are again 
>   convenience functions.

The objectSid part of this is a challenge.  We need to decide if we are
going to use sambaSID or objectsid in this backend.  I would suggest
that we should only use sambaSID if we are trying to do a 'could be
deployed against an existing OpenLDAP structure'.  

We can extend ad2oLschema to munge the schema with the schema mapping
file, so all instances of objectSid become sambaSID.

Given the impact on performance, I would like to avoid using generate
mappings as much as possible.

> - samba3sam-12-dont-fallback.patch:
>   Removes all ignored attributes from the attribute list and adds a 
> wildcard
>   mapping instead.  Also changes the call to ldb_map_init so we don't 
> require
>   a fallback partition.  *Also* removes the objectClass mappings from 
> the same
>   call, as they lead to a number of additional problems I haven't found 
> a nice
>   (or, in fact, any) solution to yet.
> 
> Please review the ones you're interested in.

I think this could be interesting as a different 'module' (potentially
in the same file).  

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.                  http://redhat.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20061117/f5d55b76/attachment.bin

More information about the samba-technical mailing list