[Samba] Password change question/2: 'syncpassword' suffices on *ONE* DC?

[Andrew Bartlett]

On Mon, 2017-10-30 at 17:00 +0100, Marco Gaiarin via samba wrote:
> I'm forced, for legacy reasons, to use 'syncpassword'.
> Docs are scarce, so i ask here.
> 
> 
> Seems to me that the ''consumer'' (eg, 'samba-tool user
> syncpasswords',
> with or without '--daemon') get activated after every password
> change,
> indipendently on what DC get originated (eg, i've changed a password,
> see previous email, on DC2 and the 'syncpassword' script get called
> on
> DC1).
> 
> So seems to me that all that stuff (minus the GPG key and the
> 'password hash gpg key ids = 1234567890ABCDEF' in smb.conf) it
> suffices/have to
> be installed on *ONE* DC.
> 
> Right? 

Yes, because the passwords are stored into the directory and GPG
encrypted there.  Note that with Samba 4.7 you can also store the
crypt() style sha256 passwords without needing encrypted paintext, but
it works the same otherwise. 

> If yes, 'it suffices' or 'have to'? Eg, if i install on every DC
> i get some sort of ''failover'' system (eg, the LDAP change get
> ''consumed'' one time), or simply i've my script called for every DC?

Well, if you install it on multiple DCs you will have duplicate updates
of your other password system.  The idea is that you install it on one
DC so you only reset or change the password once for every real change.

The syncpasswords tool maintains local state to work out where it is at
in the set of passwords to sync. 

I hope this clarifies things,

Andrew Bartlett
-- 
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT   
https://catalyst.net.nz/services/samba