Ubuntu Domain Server

[Christopher Chan]

Paul Smith wrote:
> On Thu, 2009-10-22 at 11:56 +0800, Christopher Chan wrote:
>   
>>> It doesn't matter how much work is involved. Do you think the 
>>> Linux/Ubuntu community would be willing to change the way system 
>>> logons work if it meant bug #1 could be completed?
>>>       
>> Let us see. To change the way system logons work would mean changing 
>> pam, the C library and just about anything that has to do with system 
>> accounts. You are welcome to try to convince the Ubuntu community to 
>> maintain a fork of all these essential system libraries and offer some
>> form of backwards compatibility to avoid having to also modify who
>> knows how many other packages like sendmail, apache,
>> bind, ..., ..., ..., everything.
>>     
>
> You guys need to step back a bit.  There's absolutely no reason whatever
> that this _feature_ cannot be implemented on UNIX/Linux.
>
> Yes, obviously the _implementation_ that relies on changing the UID/GID
> scheme is a complete non-starter and cannot even be considered.  There's
> no chance that anyone "upstream" will be willing to break that behavior
> and as you say, Ubuntu cannot essentially rewrite the entire GNU/Linux
> operating system to do away with it (don't forget that UID/GID is
> heavily embedded in the kernel, too, so Ubuntu would have to rework the
> kernel itself extensively).  If this is Ryan's question then the answer
> is definitely no, not even if it meant bug #1 could be completed.  Let's
> all remember our goal here is NOT to beat Microsoft by becoming a free
> version of Windows.  Our goal is to produce a better product, while
> still staying true to the UNIX roots and philosophy (which we believe
> will lead to better software).
>
> However, luckily for us we do not HAVE to change or do away with UID/GID
> in order to implement automatic joins of a workstation.  There's
> absolutely no reason that user "paul.smith" cannot have UID 1000 on one
> system and UID 2000 on another system: you just need to implement a
> mapping mechanism.
>   

At least you are attempting to address the system. Mapping system? I 
guess that means no shared filesystems. Let's try again.

> But there are so many things to be considered before you even get here
> that impact directly on this.  For example, obviously security is
> critical and so you'll need a secure way to do AAA.  How do you add
> users?  How do users authenticate?  Etc. etc.  All critical questions.
> Most likely you will need to base this on Kerberos, just because there's
> nothing else out there with the requisite features + security, that I
> know of anyway.
>
> Once you have that figured out you must end up with some secure token
> which represents a user that you can present to other systems as proof
> of identity.  Then all you have to do is have each host map that token
> to a locally relevant UID/GID.  UID/GID cannot be used between hosts,
> anyway, in any secure fashion.  That's just one idea.
>
>   

There are various different setups to share uid/gid between hosts. Since 
NIS to winbind.

> I'm certainly NOT saying it's not a lot of work.  I'm saying that it can
> be done, and it doesn't require throwing out 30+ years of UNIX/POSIX
> history to do it, so let's not dismiss the big idea based only on one
> possible bad implementation.
>
>
>   
I just want to ram in the fact that you cannot change the current system 
of uid/gid and the only other option will be to build a new aaa system 
but that requires consensus within the Linux community or it will be an 
Ubuntu only thing in the beginning and work will be needed on all 
packages that will use it.