Sharing a 'System Read Access' LDB handle in Samba4

[Luke Howard]

> I suppose the depends if these are held in the main DB.  I was under  
> the
> impression that to avoid massive replication pressure, that these  
> audit
> logs were stored elsewhere, and the only thing to update would be the
> 'week of last logon' timestamp (from memory).

lastLogon was non-replicated, but lastLogonTimestamp (introduced in  
W2K3) is. Also account lockout-related attributes would need to be  
replicated too? I'm a bit hazy on this, I seem to remember that  
lockout attempts were per-DC but presumably once the account is  
actually locked out, this is replicated to all DCs.

-- Luke