[Kolab-devel] Integration of Kolab2 and Samba

Martin Konold martin.konold at erfrakon.de
Thu Jul 12 17:00:47 CEST 2007


Am Mittwoch 13 Juni 2007 schrieb Ingo Steuwer:

Hi Ingo,

> > 1.2 Possible solution
> >
> > Kolab with Samba integrated uses exclusivly Samba as a backend for
> > authentification. Basically this means that SASL is not using LDAP
> > directly but Samba as a backend.
>
> Don't forget postfix which AFAIK doesn't use SASL.

Hmm,.. http://www.postfix.org/SASL_README.html tells me the opposite?!

> > of POSIX operating systems. SIDs are much longer (up to 512 bytes instead
> > of only 2/4 bytes).
>
> Samba uses both SID and UID/GID as it needs an underlying POSIX-user for
> each samba-user. This is because samba relies on the filesystem for file
> access control, which knows nothing about SIDs. Bu you may use windbind for
> automated mapping, but it may be more complex than map it by yourself.

This automatic mapping of winbind is imho not a good approach. Basically this 
is due to the non deterministic mapping across servers. (The mapping happens 
either at runtime dynamically starting from an initial number or is done at a 
fixed time)

> > It is impossible to create an algorithmic bidirectional mapping between
> > UID/GID and SIDs.
> > Therefore Samba uses dynamically maintained maps as a workaround. This
> > situation is suboptimal and causes many problems.
>
> -> winbind.

winbind does not solve the algorithmic problem of bidirectional mapping. (Two 
samba servers will have different mappings in the very same organisation)

> > On the other hand SIDs are much more expressive and selfdescribing. When
> > looking at a SID you can immediately determine if it is a user or a
> > group.
>
> Mhm, you need at least to search for it in LDAP, AFAIK the number alone
> follows now convention.

A typical SID look like S-1-5-21-2334373287-406835450-3753124356-1110.

"S-1-5-21" contains a version number and a reference to the windows security 
subsystem.
"2334373287-406835450-3753124356" is the authority of the issueing system 
and "1110" is the relativ authority.

SIDs are _globally_ unique and a lookup is very cheap in order to figure out 
further details about this user/group.

> > Make Kolab totally independent from UID/GID concept. Actually the number
> > of places where UID/GID is used in Kolab is very limited and not really
> > needed.
>
> This would make Kolab totally unusable in Linux-desktop szenarios which
> want to authenticate against LDAP...

I tend to disagree as this would make Kolab independent on unix UID/GID but 
still allow to put Unix UID/GID info in the LDAP tree for legacy 
applications.

Regards,
-- martin konold

-- 
e r f r a k o n
Erlewein, Frank, Konold & Partner - Beratende Ingenieure und Physiker
Sitz: Adolfstraße 23 Stuttgart - Partnerschaftsregister Stuttgart PR 126
http://www.erfrakon.com/




More information about the devel mailing list