Passowrd policy patch on Samba-3.0.2 for LDAP backend

Andrew Bartlett abartlet at samba.org
Tue Feb 24 08:46:24 GMT 2004 

On Tue, 2004-02-24 at 19:41, Simo Sorce wrote:
> On Fri, 2004-02-20 at 14:15, Jim McDonough wrote:
> 
> > This just is more evidence that the holy grail of a "consistent" SAM is
> > impossible if yo'ure going to have replication.  It can't happen...period.
> 
> I agree.

What we can do however is ensure that we appear internally consistent
from the view of the client.  If we don't have that, things break...

> > If you want a consistent SAM across DC's, you can't use replication, or you
> > have to prevent anyone from doing operations until you can guarantee that
> > replication has occurred.  As long as there is replication (and there needs
> > to be in many cases) there is going to be the situation where different
> > replicas have different data.  The issue is minimizing security risks and
> > other problems caused by the inconsistencies.
> > 
> > Andrew, in fact the setup you mentioned last night, a PDC using an LDAP
> > slave, which you claim is common (I have no reason to doubt that), you
> > could make the claim that the PDC inconsistent with itself.  :-)
> 
> It is, and I have one such.
> I had to add timeouts in smb.conf (ldap replication sleep) and scripts
> to be sure the replica happened before going on.
> Otherwise user creation or domain joins would fail because the
> account/password is not yet in the ldap just after it has been written
> into the db.

Indeed.  One of the things we need to add is a 'password change sleep'
(or an improvement for ldap rebind sleep) as I saw my users being bitten
with that...

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20040224/c9cc5b76/attachment.bin

More information about the samba-technical mailing list