[Kolab-devel] Integration of Kolab2 and Samba
Martin Konold
martin.konold at erfrakon.de
Thu Jul 12 17:00:47 CEST 2007
Am Mittwoch 13 Juni 2007 schrieb Ingo Steuwer:
Hi Ingo,
> > 1.2 Possible solution
> >
> > Kolab with Samba integrated uses exclusivly Samba as a backend for
> > authentification. Basically this means that SASL is not using LDAP
> > directly but Samba as a backend.
>
> Don't forget postfix which AFAIK doesn't use SASL.
Hmm,.. http://www.postfix.org/SASL_README.html tells me the opposite?!
> > of POSIX operating systems. SIDs are much longer (up to 512 bytes instead
> > of only 2/4 bytes).
>
> Samba uses both SID and UID/GID as it needs an underlying POSIX-user for
> each samba-user. This is because samba relies on the filesystem for file
> access control, which knows nothing about SIDs. Bu you may use windbind for
> automated mapping, but it may be more complex than map it by yourself.
This automatic mapping of winbind is imho not a good approach. Basically this
is due to the non deterministic mapping across servers. (The mapping happens
either at runtime dynamically starting from an initial number or is done at a
fixed time)
> > It is impossible to create an algorithmic bidirectional mapping between
> > UID/GID and SIDs.
> > Therefore Samba uses dynamically maintained maps as a workaround. This
> > situation is suboptimal and causes many problems.
>
> -> winbind.
winbind does not solve the algorithmic problem of bidirectional mapping. (Two
samba servers will have different mappings in the very same organisation)
> > On the other hand SIDs are much more expressive and selfdescribing. When
> > looking at a SID you can immediately determine if it is a user or a
> > group.
>
> Mhm, you need at least to search for it in LDAP, AFAIK the number alone
> follows now convention.
A typical SID look like S-1-5-21-2334373287-406835450-3753124356-1110.
"S-1-5-21" contains a version number and a reference to the windows security
subsystem.
"2334373287-406835450-3753124356" is the authority of the issueing system
and "1110" is the relativ authority.
SIDs are _globally_ unique and a lookup is very cheap in order to figure out
further details about this user/group.
> > Make Kolab totally independent from UID/GID concept. Actually the number
> > of places where UID/GID is used in Kolab is very limited and not really
> > needed.
>
> This would make Kolab totally unusable in Linux-desktop szenarios which
> want to authenticate against LDAP...
I tend to disagree as this would make Kolab independent on unix UID/GID but
still allow to put Unix UID/GID info in the LDAP tree for legacy
applications.
Regards,
-- martin konold
--
e r f r a k o n
Erlewein, Frank, Konold & Partner - Beratende Ingenieure und Physiker
Sitz: Adolfstraße 23 Stuttgart - Partnerschaftsregister Stuttgart PR 126
http://www.erfrakon.com/
More information about the devel
mailing list