backend provision samba4-ol-multimaster

Andrew Bartlett abartlet at samba.org
Sun Sep 7 03:06:11 GMT 2008 

On Sat, 2008-09-06 at 18:40 +0200, Oliver Liebel wrote:
> Andrew Bartlett schrieb:
> > On Fri, 2008-09-05 at 10:37 +0200, Oliver Liebel wrote:
> >  
> >> e.g.  rid=serverid*100  instead of ...*10
> >>     
> >
> > Sure, but then we have a maximum of 9 replicating servers, which seemed
> > like rather a low limit.   
> sorry, youre right - i missed that point, was just looking at the 
> "readability".
> 
> but there is another point to mention: we should add the "sizelimit 
> unlimited"  ( or just  a value greater 552  [cn=schema] )
> to slapd.conf-template again, otherwise we are running into trouble 
> during initial content cload on the secondary dcs.
> 
> > Yep, we need a separate account, but I can't see a good way to move away
> > from cleartext passwords.  
> >
> > ...
> >
> > No, we cannot use GSSAPI.  We must use something like DIGEST-MD5 because
> > we are creating the backend for the KDC, so we can't use kerberos to do
> > it :-)
> >   
> okay, if we would use digest-md5, what do you think about the following 
> idea:

Excellent.  Please give me a patch with the sizelimit and these
changes. 

> as there is no need for rootpws for the subcontexts now
> (which surely also can be kept there  - maybe for debugging issues,
> using pre-crypted slappasswd-ssha-values),
> the only thing remaining in cleartext are the authcid and credentials in 
> syncrepl-config, but as
> the replicator-account has only ro-privileges on the dit,
> its not that bad, even if someone could catch a look on the config...

Let's remove all the rootpw entries. 

> another option could be (with the advantage of having no passwords at 
> all in slapd.conf / slapd.d/ )
> to use mech external, but in that case we would have to setup
> the ca and all host-certs during provisioning, maybe using a fixed 
> cert-dn, e.g. cn=<hostname>,cn=samba4dc,dc=<names.domaindn>
> or something like that.
> but as we have to setup tls for replication anyway, maybe its worth a 
> thougt.
> 
> so what do you think about the mech we should use?

digest-md5 please. 

> > I'm certainly quite OK with having a switch to inhibit the creation of
> > the actual cn=samba data.
> >
> > If we do actually get as far as replicating cn=config, then perhaps this
> > same switch might be used to create a 'stub' slapd.conf with only enough
> > to replicate in cn=config?
> >   
> hm... do you mean (after we have converted the complete slapd to olc on 
> the first dc) a switch (for the other dcs) that will activate
> a very small olc-replication config "from the scratch", which will fetch 
> everything needed from the first dc?
> yes, i think we can get that done.

Great.

Andrew Bartlett

-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20080907/50788468/attachment.bin

More information about the samba-technical mailing list