Hi Andrew, thank you for your reply. -<| Quoting Andrew Bartlett <abartlet at samba.org>, on Thursday, 2018-10-25 06:44:03 AM |>-> On Wed, 2018-10-24 at 15:43 +0200, Philipp Gesang wrote: > > Hi again, > > > > -<| Quoting Andrew Bartlett <abartlet at samba.org>, on Friday, 2018-09- > > 21 08:23:26 AM |>- > > > > > > On Fri, 2018-09-21 at 11:29 +0200, Philipp Gesang via samba wrote: > > > > > > > > The goal is to have a domain member functional after restoring > > > > from a backup without re-joining. > > > Do take care that the password is changed by winbindd regularly. > > > It > > > might not work any more. > > I’m revisiting this issue right now. Specifically, I’m looking > > for a means to have another process notified of a password change > > completed by winbindd. I had no luck so far skimming the man > > pages and source for hooks I could use. > > > > Any advice would be appreciated. > > Could you use and track the last changed time? > > eg stored in the key from machine_last_change_time_keystr() > > There isn't any hook or message sent about this at the moment, but I > suppose a message could be sent on the messaging bus if you really > needed it. > > Can you detail the use case some more?I’m working on a patchset that allows extracting the machine account credentials so they can be stored outside Samba. That part is already working. The goal is now to always have up to date values stored away to minimize the possibility that a re-join is needed after replaying the creds from a backup. The join requires manual intervention and elevated privileges so it is quite undesirable to request it unless absolutely necessary (e. g. password changed since last backup). There is of course always the option of monitoring secrets.tdb with inotify and acting on change events. It would be more convenient though if I could just throw a script at Samba and have it executed at the right moment. Best, Philipp -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: <http://lists.samba.org/pipermail/samba/attachments/20181025/f71c9439/signature.sig>
On Thu, 2018-10-25 at 09:16 +0200, Philipp Gesang wrote:> Hi Andrew, > > thank you for your reply. > > I’m working on a patchset that allows extracting the machine > account credentials so they can be stored outside Samba. That > part is already working.Can you remind us of the current patch?> The goal is now to always have up to > date values stored away to minimize the possibility that a > re-join is needed after replaying the creds from a backup. The > join requires manual intervention and elevated privileges so it > is quite undesirable to request it unless absolutely necessary > (e. g. password changed since last backup). > > There is of course always the option of monitoring secrets.tdb > with inotify and acting on change events. It would be more > convenient though if I could just throw a script at Samba and > have it executed at the right moment.Perhaps set: machine password timeout = 0 in the smb.conf and then run wbinfo --change-secret and then do the backup? Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
-<| Quoting Andrew Bartlett <abartlet at samba.org>, on Thursday, 2018-10-25 08:36:02 PM |>-> On Thu, 2018-10-25 at 09:16 +0200, Philipp Gesang wrote: > > Hi Andrew, > > > > thank you for your reply. > > > > I’m working on a patchset that allows extracting the machine > > account credentials so they can be stored outside Samba. That > > part is already working. > > Can you remind us of the current patch?I’ll post it as soon as I get the tests right.> > The goal is now to always have up to > > date values stored away to minimize the possibility that a > > re-join is needed after replaying the creds from a backup. The > > join requires manual intervention and elevated privileges so it > > is quite undesirable to request it unless absolutely necessary > > (e. g. password changed since last backup). > > > > There is of course always the option of monitoring secrets.tdb > > with inotify and acting on change events. It would be more > > convenient though if I could just throw a script at Samba and > > have it executed at the right moment. > > Perhaps set: > machine password timeout = 0 > in the smb.conf > > and then run > wbinfo --change-secret > > and then do the backup?Perfect! Thanks a lot. Philipp -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: <http://lists.samba.org/pipermail/samba/attachments/20181025/cd3f3a3c/signature.sig>