Date: Fri, 17 Apr 1998 12:30:08 +0200 From: Robert Frank <frank@ifi.unibas.ch> Subject: Re: configuration, ldap and NetInfo To: samba-technical@samba.anu.edu.au
<nofill> > On Thu, 16 Apr 1998, Robert Frank wrote:
[snip]
> > The database interface is a bit more trickey:
> > we basically have two options here:
> > - either we do a one-time lookup as if it were a flat file
> > - or we check the database for the value when it is used.
> >
> > The first has the same defeciancy as the conf file: changes aren't
> > reflected (until the database is reread), but it is quite easy to
> > implement and requires little changes to the code.
>
> yes, easy and don't slow the process
</nofill>
Not so easy with NetInfo, though, as this is a hierarchical database and I
have several options of finding a parameter.
If the parameter exists on several levels, which one to pick? Currently, I
pick the lowest one (this is consistant with the behaviour of other
programs). If I only lookup a single parameter, this is easy: stop at the
first occurrence of a paramater on whatever level it is. But when I have
to get all parameters, it gets tricky: I have to scan all levels for all
parameters, carefully avoiding to overwrite any already existing
parameters, which means I have to keep track of what was already read.
(The current implementation cheats, it starts top down and simply
overwrites, but that isn't optimal at all!)
<nofill>
For lists, we have an additional option: extend an exising list!
> > The latter always uses uptodate values, but requires several changes to
> > the code.
>
> It would slow down the process I think, at least with ldap and the
> database being on another machine. (don't know about netinfo)
NetInfo is mostly cached. So access is quite fast.
> > The samba password methods would also need changes in order to use the
> > databases. I'd like to have a scheme similar to SOLARIS nsswitch, which
>
> I like that ! Currently I hacked up samba that if it doesn't find the
> user in the ldap base it falls back to standard method (etc/passwd and
> smbpasswd)
Luke Kenneth Casson Leighton responded to this:
> jf, that's... _almost_ like a "Domain User" and "local user" system,
> where "Domain Users" are in the ldap database, and "local users" are in
> the passwd/smbpasswd file.
>
> my preference is that this does not occur, but that this occurs instead:
>
> - the etc/passwd/smbpasswd should be a "cache" of the authoritative list
> on the ldap (or other) server
>
> if you do not have _access_ to the ldap (or other) server, then you fall
> back to the etc/passwd/smbpasswd method.
>
> if you _do_ have access to the ldap (or other) server, then you do _not_
> then look up in the etc/passwd/smbpasswd file, but overwrite the entries
> in the etc/passwd/smbpasswd file with those downloaded from the ldap (or
> other) server.
</nofill>
... and for me it's the other way around. NetInfo is a hierarchical
system, and I do have a three level hierarchy here (three domains: the
entire network, the office and the lab, and the machines). So if I want
some entry to be just on a specific level, it is to be there and only
there, not everywhere. 'dumping' the passwords to smbpassd as a backup
would mess things up entirely. Besides, with one or more clones (a MUST
anyway) per subdomain, there is no risk at all. If the master goes down,
the clones will feed the information. And if even these go down then
there's no point in accessing the host, as almost nothing will work
anymore anyway. So the smbpasswd file is either an emergancy backup of
SELECTED users (i.e. to get the network up again), or a full substitute
for NetInfo (if this seems to insecure for storing passwords).
<nofill>
> > allows specifying an order of lookups. Of course, real databases such
> > as NetInfo (ldap?) would retrieve even this from the database, not from
> > a file.
>
> isn't it a chicken and eggs problem ?
</nofill>
No, not really. If NetInfo or ldap aren't accessible, then just fall back
to a flat file (e.g. nsswitch on SOLARIS). If they are, check them for the
order of lookups. I just don't want to have to maintian several nsswitch
files on all machines when I can have all that information in the
database. And it doesn't really matter which order, if the database says
file, then database, ok, so I'll scan for smb.conf first, then the
database.
<nofill>
> If the members of this list are interrested, I can send a mail to explain
> why ldap can be a good thing (tm) for samba.
>
> Jean Francois
>
> -----------------------------------------------------------
> : Jean Francois Micouleau : Email: jfm@utc.fr :
> : Universite de : Tel : 03 44 23 47 78 :
> : Technologie de : Service Informatique :
> : Compiegne France : Division IRNM :
> -----------------------------------------------------------
>
-------------------------------------
Institut fuer Informatik tel +41 (0)61 321 99 67
Universitaet Basel fax. +41 (0)61 321 99 15
Robert Frank
Mittlere Strasse 142 rfc822: frank@ifi.unibas.ch (NeXT,MIME mail ok)
CH-4056 Basel (remove any no_spam_ from my return address)
Switzerland
</nofill>