Passowrd policy patch on Samba-3.0.2 for LDAP backend

Simo Sorce simo.sorce at
Tue Feb 24 08:41:20 GMT 2004

On Fri, 2004-02-20 at 14:15, Jim McDonough wrote:

> This just is more evidence that the holy grail of a "consistent" SAM is
> impossible if yo'ure going to have replication.  It can't happen...period.

I agree.

> If you want a consistent SAM across DC's, you can't use replication, or you
> have to prevent anyone from doing operations until you can guarantee that
> replication has occurred.  As long as there is replication (and there needs
> to be in many cases) there is going to be the situation where different
> replicas have different data.  The issue is minimizing security risks and
> other problems caused by the inconsistencies.
> Andrew, in fact the setup you mentioned last night, a PDC using an LDAP
> slave, which you claim is common (I have no reason to doubt that), you
> could make the claim that the PDC inconsistent with itself.  :-)

It is, and I have one such.
I had to add timeouts in smb.conf (ldap replication sleep) and scripts
to be sure the replica happened before going on.
Otherwise user creation or domain joins would fail because the
account/password is not yet in the ldap just after it has been written
into the db.


Simo Sorce - simo.sorce at
Xsec s.r.l. -
via Garofalo, 39 - 20133 - Milano
mobile: +39 329 328 7702
tel. +39 02 2953 4143 - fax: +39 02 700 442 399

More information about the samba-technical mailing list