Marco Gaiarin
2017-Oct-30 16:00 UTC
[Samba] Password change question/2: 'syncpassword' suffices on *ONE* DC?
I'm forced, for legacy reasons, to use 'syncpassword'.
Docs are scarce, so i ask here.
Seems to me that the ''consumer'' (eg, 'samba-tool user
syncpasswords',
with or without '--daemon') get activated after every password change,
indipendently on what DC get originated (eg, i've changed a password,
see previous email, on DC2 and the 'syncpassword' script get called on
DC1).
So seems to me that all that stuff (minus the GPG key and the
'password hash gpg key ids = 1234567890ABCDEF' in smb.conf) it
suffices/have to
be installed on *ONE* DC.
Right? If yes, 'it suffices' or 'have to'? Eg, if i install on
every DC
i get some sort of ''failover'' system (eg, the LDAP change get
''consumed'' one time), or simply i've my script called for
every DC?
Thanks.
--
dott. Marco Gaiarin GNUPG Key ID: 240A3D66
Associazione ``La Nostra Famiglia''
http://www.lanostrafamiglia.it/
Polo FVG - Via della Bontà , 7 - 33078 - San Vito al Tagliamento (PN)
marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797
Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
Andrew Bartlett
2017-Oct-30 17:46 UTC
[Samba] Password change question/2: 'syncpassword' suffices on *ONE* DC?
On Mon, 2017-10-30 at 17:00 +0100, Marco Gaiarin via samba wrote:> I'm forced, for legacy reasons, to use 'syncpassword'. > Docs are scarce, so i ask here. > > > Seems to me that the ''consumer'' (eg, 'samba-tool user > syncpasswords', > with or without '--daemon') get activated after every password > change, > indipendently on what DC get originated (eg, i've changed a password, > see previous email, on DC2 and the 'syncpassword' script get called > on > DC1). > > So seems to me that all that stuff (minus the GPG key and the > 'password hash gpg key ids = 1234567890ABCDEF' in smb.conf) it > suffices/have to > be installed on *ONE* DC. > > Right?Yes, because the passwords are stored into the directory and GPG encrypted there. Note that with Samba 4.7 you can also store the crypt() style sha256 passwords without needing encrypted paintext, but it works the same otherwise.> If yes, 'it suffices' or 'have to'? Eg, if i install on every DC > i get some sort of ''failover'' system (eg, the LDAP change get > ''consumed'' one time), or simply i've my script called for every DC?Well, if you install it on multiple DCs you will have duplicate updates of your other password system. The idea is that you install it on one DC so you only reset or change the password once for every real change. The syncpasswords tool maintains local state to work out where it is at in the set of passwords to sync. I hope this clarifies things, Andrew Bartlett -- Andrew Bartlett https://samba.org/~abartlet/ Authentication Developer, Samba Team https://samba.org Samba Development and Support, Catalyst IT https://catalyst.net.nz/services/samba
Marco Gaiarin
2017-Oct-31 10:13 UTC
[Samba] Password change question/2: 'syncpassword' suffices on *ONE* DC?
Mandi! Andrew Bartlett via samba In chel di` si favelave...> I hope this clarifies things,Super clear! Thanks! -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà , 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)