Passowrd policy patch on Samba-3.0.2 for LDAP backend
Simo Sorce
simo.sorce at xsec.it
Tue Feb 24 08:41:20 GMT 2004
On Fri, 2004-02-20 at 14:15, Jim McDonough wrote:
> This just is more evidence that the holy grail of a "consistent" SAM is
> impossible if yo'ure going to have replication. It can't happen...period.
I agree.
> If you want a consistent SAM across DC's, you can't use replication, or you
> have to prevent anyone from doing operations until you can guarantee that
> replication has occurred. As long as there is replication (and there needs
> to be in many cases) there is going to be the situation where different
> replicas have different data. The issue is minimizing security risks and
> other problems caused by the inconsistencies.
>
> Andrew, in fact the setup you mentioned last night, a PDC using an LDAP
> slave, which you claim is common (I have no reason to doubt that), you
> could make the claim that the PDC inconsistent with itself. :-)
It is, and I have one such.
I had to add timeouts in smb.conf (ldap replication sleep) and scripts
to be sure the replica happened before going on.
Otherwise user creation or domain joins would fail because the
account/password is not yet in the ldap just after it has been written
into the db.
Simo.
--
Simo Sorce - simo.sorce at xsec.it
Xsec s.r.l. - http://www.xsec.it
via Garofalo, 39 - 20133 - Milano
mobile: +39 329 328 7702
tel. +39 02 2953 4143 - fax: +39 02 700 442 399
More information about the samba-technical
mailing list