Anton Engelhardt
2018-Jul-13 09:14 UTC
[Samba] A few questions and propostions on the samba architecture
That explains why there is so little information on ldb and sqlite. From my pov sqlite just seemed interesting, as it has a well known syntax and the ability to embedd a transparent logic layer. As there is no effort to use sqlite (or sql) in the future , I just burried that path. As for compability I would strongly suggest to stay where Microsoft left off, before killing the "UNIX Attributes" tab in Windows10 RSAT. CN=samdom,CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System msSFU30MaxGidNumber msSFU30MaxUidNumber msSFU30OrderNumber I understand the disire too keep things as compatible as possible, but on the other hand open source software usually offers way more flexibility. in my head there are 2 solutions, which should be completly client compatible and introduce no behavioral change: 1. interval poll all class=user objects where uid=NULL, get values from above mentioned entries, compose an update transaction (thats the "Just write a powershell script" variant) 2. same as 1, just with some sort of trigger (or better filtered subscriptions) for external scripts in samba What I also have in mind with this architecture would be something like password tokens, but keep in mind this is just a thought. The password passed on to ldap auth could be, if the user has an attriblue like "requreToken", stripped of like the last 6 chars, which represent the token. The password is matched against the hased password in the ldap user entry, the token is processed in an external app, if both are a success, login is fine. This propably would require kerberos tickets, as the password is constantly changing, but would introduce a lot of flexibility, for those who dare. In terms of internal scripting, is there already anything in samba? Am 13.07.2018 um 10:25 schrieb Andrew Bartlett:> On Fri, 2018-07-13 at 09:36 +0200, Anton Engelhardt via samba wrote: >> Due to a few problems I encountered I had a tiny look at the samba code >> and gut a few questions, statements and propositions. Please by all >> means, correct me if I got something wrong. >> >> 1. besides filestore for shares and config files samba uses ldb as an >> exclusive storage backend >> 1. LDB supports TDB, LDAP and SQLITE3 backend >> 2. Samba hard codes to TDB files like "sam.ldb" >> 2. ldap does not support any server side actions >> 1. Not possible to implement "on create class user >> uidNumber=get_next_free_uid()" >> 2. Only possible to define required/optional attributes >> 3. ldap service is provided trough ldb-ldap -> tdb >> >> I don't know if it is a good idea, but when using something like sqlite3 >> it would be possible to use "CREATE TRIGGER", to perform some automation >> magic on server side, like giving out uidNumber and gidNumber. >> >> Or even use "CREATE VIEW" with "CREATE TRIGGER" to implement fancy stuff >> like server side transparent password token validation. >> >> Depending on my undarstanding of the current architecture and the state >> of the ldb sqlite backend this would seem like the easiest approach, >> correct me if I'm too far off. > Using ldb_sqlite wouldn't help, as we don't use it in a smart way, it > was added (and then left unmaintained, we really should remove it) in > the hope of getting transaction support, but instead that was gained > via tdb. > > The uidNumber and gidNumber changes you desire are reasonable, and we > could do those in the samldb module or similar. We haven't done so > because: > - at the time we were trying to match Windows AD behaviour exactly. > - the allocation needs to be stateless or manage the free id pool like > the RID pool. > > (Because we need to ensure that two users created at the same time on > different servers don't overlap uids) > > My preference is to have these modules use the same RID+offset > algorithm that sssd uses, and leverage the RID as a unique value. > > The key would be to make this relatively compatible with the settings > used in winbindd on the file server, so if that RID base were > inappropriate another could be chosen via idmap_rid. > > However I've not had the time to implement this, sadly. > > Andrew Bartlett >
Andrew Bartlett
2018-Jul-13 09:40 UTC
[Samba] A few questions and propostions on the samba architecture
On Fri, 2018-07-13 at 11:14 +0200, Anton Engelhardt via samba wrote:> That explains why there is so little information on ldb and sqlite. > > From my pov sqlite just seemed interesting, as it has a well known > syntax and the ability to embedd a transparent logic layer. As there is > no effort to use sqlite (or sql) in the future , I just burried that path. > > As for compability I would strongly suggest to stay where Microsoft left > off, before killing the "UNIX Attributes" tab in Windows10 RSAT. > CN=samdom,CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System > msSFU30MaxGidNumber > msSFU30MaxUidNumber > msSFU30OrderNumberIt isn't possible to do safe domain-wide atomic updates of those values. Sorry.> I understand the disire too keep things as compatible as possible, but > on the other hand open source software usually offers way more flexibility. > > in my head there are 2 solutions, which should be completly client > compatible and introduce no behavioral change: > > 1. interval poll all class=user objects where uid=NULL, get values from > above mentioned entries, compose an update transaction (thats the > "Just write a powershell script" variant) > 2. same as 1, just with some sort of trigger (or better filtered > subscriptions) for external scripts in samba > > What I also have in mind with this architecture would be something like > password tokens, but keep in mind this is just a thought. > > The password passed on to ldap auth could be, if the user has an > attriblue like "requreToken", stripped of like the last 6 chars, which > represent the token. The password is matched against the hased password > in the ldap user entry, the token is processed in an external app, if > both are a success, login is fine. This propably would require kerberos > tickets, as the password is constantly changing, but would introduce a > lot of flexibility, for those who dare.389ds does something like that.> In terms of internal scripting, is there already anything in samba?Not in the LDB layer. The closest is the check password script hook, which is severely restricted due to running with the transaction lock held. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
Rowland Penny
2018-Jul-13 09:59 UTC
[Samba] A few questions and propostions on the samba architecture
On Fri, 13 Jul 2018 11:14:02 +0200 Anton Engelhardt via samba <samba at lists.samba.org> wrote:> That explains why there is so little information on ldb and sqlite. > > From my pov sqlite just seemed interesting, as it has a well known > syntax and the ability to embedd a transparent logic layer. As there > is no effort to use sqlite (or sql) in the future , I just burried > that path. > > As for compability I would strongly suggest to stay where Microsoft > left off, before killing the "UNIX Attributes" tab in Windows10 RSAT. > CN=samdom,CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System > msSFU30MaxGidNumber > msSFU30MaxUidNumber > msSFU30OrderNumberThey are the attributes that ADUC uses and Samba doesn't. The fear is that the same ID could be used for two users (or groups) if they were created on different DC's at the same time. The sheer fact that nobody has complained of this problem when using ADUC, has nothing to do with the problem.> > I understand the disire too keep things as compatible as possible, > but on the other hand open source software usually offers way more > flexibility. > > in my head there are 2 solutions, which should be completly client > compatible and introduce no behavioral change: > > 1. interval poll all class=user objects where uid=NULL, get values > from above mentioned entries, compose an update transaction (thats the > "Just write a powershell script" variant) > 2. same as 1, just with some sort of trigger (or better filtered > subscriptions) for external scripts in samba >I personally have always thought that samba-tool should mirror what ADUC does. You create a basic user, then add other attributes e.g. RFC2307 attributes with something that works in the same way as the 'UNIX Attributes' tab. You should also be able to do all this at the same time, which you can almost do at the present, the only problem is '*idNumber' attribute, you have, at present, to scribble this on a piece of paper, use what is on the paper with 'samba-tool user create' and then update the number on the paper.> What I also have in mind with this architecture would be something > like password tokens, but keep in mind this is just a thought. > > The password passed on to ldap auth could be, if the user has an > attriblue like "requreToken", stripped of like the last 6 chars, > which represent the token. The password is matched against the hased > password in the ldap user entry, the token is processed in an > external app, if both are a success, login is fine. This propably > would require kerberos tickets, as the password is constantly > changing, but would introduce a lot of flexibility, for those who > dare. > > In terms of internal scripting, is there already anything in samba?Only on my PC ;-) Rowland>
Anton Engelhardt
2018-Jul-13 22:21 UTC
[Samba] A few questions and propostions on the samba architecture
It's not possible to do safe domain-wide atomic updates, now. I'll make a few generic assuptions, as I'm unfortunatly not that deep into the actual implementation. "What would Microsoft do" is a good question, afaik they bypassed that problem by prepending a unique server prefix in front of the generated part of the SID. Assuming there is a primary DC and a backup DC, a "ldap create object class user with uidNumber = NULL" gets executed: 1. on the primary dc. Primary DC is samba and aware of its PDC position. Does an transaction updating the msSFU30MaxGidNumber, assigning it to the user. 2. on the backup dc. BDC does nothing but replicate to the PDC. PDC picks up replicated "create user transaction", does its joba as in 1 3. on the backup dc. Primary DC is Microsoft. Nothing happens, as this is a samba only feature ;-) There always is a scenario of a netsplit, leaving both DCs in a PDC position, at least I assume that, as this is always a possibility. I think the key with this concept is to restrict those "atomic updates" to the active pdc. Having two active PDCs at any given time is very bad afaik. Furthermore it could be possible to create a samba only hirarchy of PDC and BDC, therefor there would be something like a SAMBA-PDC and SAMBA-BDC state, which is independant of the PDC BDC state itself. To avoid issue in point 3 a BDC running samba, which has the "primary among samba", would be the one to do the atomic transaction and then replicate the changes. Am 13.07.2018 um 11:40 schrieb Andrew Bartlett:> On Fri, 2018-07-13 at 11:14 +0200, Anton Engelhardt via samba wrote: >> That explains why there is so little information on ldb and sqlite. >> >> From my pov sqlite just seemed interesting, as it has a well known >> syntax and the ability to embedd a transparent logic layer. As there is >> no effort to use sqlite (or sql) in the future , I just burried that path. >> >> As for compability I would strongly suggest to stay where Microsoft left >> off, before killing the "UNIX Attributes" tab in Windows10 RSAT. >> CN=samdom,CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System >> msSFU30MaxGidNumber >> msSFU30MaxUidNumber >> msSFU30OrderNumber > It isn't possible to do safe domain-wide atomic updates of those > values. Sorry. > >> I understand the disire too keep things as compatible as possible, but >> on the other hand open source software usually offers way more flexibility. >> >> in my head there are 2 solutions, which should be completly client >> compatible and introduce no behavioral change: >> >> 1. interval poll all class=user objects where uid=NULL, get values from >> above mentioned entries, compose an update transaction (thats the >> "Just write a powershell script" variant) >> 2. same as 1, just with some sort of trigger (or better filtered >> subscriptions) for external scripts in samba >> >> What I also have in mind with this architecture would be something like >> password tokens, but keep in mind this is just a thought. >> >> The password passed on to ldap auth could be, if the user has an >> attriblue like "requreToken", stripped of like the last 6 chars, which >> represent the token. The password is matched against the hased password >> in the ldap user entry, the token is processed in an external app, if >> both are a success, login is fine. This propably would require kerberos >> tickets, as the password is constantly changing, but would introduce a >> lot of flexibility, for those who dare. > 389ds does something like that. > >> In terms of internal scripting, is there already anything in samba? > Not in the LDB layer. The closest is the check password script hook, > which is severely restricted due to running with the transaction lock > held. > > Andrew Bartlett
Reasonably Related Threads
- A few questions and propostions on the samba architecture
- A few questions and propostions on the samba architecture
- A few questions and propostions on the samba architecture
- A few questions and propostions on the samba architecture
- A few questions and propostions on the samba architecture