Passowrd policy patch on Samba-3.0.2 for LDAP backend
Andrew Bartlett
abartlet at samba.org
Tue Feb 24 08:46:24 GMT 2004
On Tue, 2004-02-24 at 19:41, Simo Sorce wrote:
> On Fri, 2004-02-20 at 14:15, Jim McDonough wrote:
>
> > This just is more evidence that the holy grail of a "consistent" SAM is
> > impossible if yo'ure going to have replication. It can't happen...period.
>
> I agree.
What we can do however is ensure that we appear internally consistent
from the view of the client. If we don't have that, things break...
> > If you want a consistent SAM across DC's, you can't use replication, or you
> > have to prevent anyone from doing operations until you can guarantee that
> > replication has occurred. As long as there is replication (and there needs
> > to be in many cases) there is going to be the situation where different
> > replicas have different data. The issue is minimizing security risks and
> > other problems caused by the inconsistencies.
> >
> > Andrew, in fact the setup you mentioned last night, a PDC using an LDAP
> > slave, which you claim is common (I have no reason to doubt that), you
> > could make the claim that the PDC inconsistent with itself. :-)
>
> It is, and I have one such.
> I had to add timeouts in smb.conf (ldap replication sleep) and scripts
> to be sure the replica happened before going on.
> Otherwise user creation or domain joins would fail because the
> account/password is not yet in the ldap just after it has been written
> into the db.
Indeed. One of the things we need to add is a 'password change sleep'
(or an improvement for ldap rebind sleep) as I saw my users being bitten
with that...
Andrew Bartlett
--
Andrew Bartlett abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team abartlet at samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20040224/c9cc5b76/attachment.bin
More information about the samba-technical
mailing list