Password change question/2: 'syncpassword' suffices on *ONE* DC?

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Password change question/2: 'syncpassword' suffices on *ONE* DC?

Samba - General mailing list

I'm forced, for legacy reasons, to use 'syncpassword'.
Docs are scarce, so i ask here.


Seems to me that the ''consumer'' (eg, 'samba-tool user syncpasswords',
with or without '--daemon') get activated after every password change,
indipendently on what DC get originated (eg, i've changed a password,
see previous email, on DC2 and the 'syncpassword' script get called on
DC1).

So seems to me that all that stuff (minus the GPG key and the
'password hash gpg key ids = 1234567890ABCDEF' in smb.conf) it suffices/have to
be installed on *ONE* DC.

Right? If yes, 'it suffices' or 'have to'? Eg, if i install on every DC
i get some sort of ''failover'' system (eg, the LDAP change get
''consumed'' one time), or simply i've my script called for every DC?


Thanks.

--
dott. Marco Gaiarin        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''          http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

                Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
        (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Password change question/2: 'syncpassword' suffices on *ONE* DC?

Samba - General mailing list
On Mon, 2017-10-30 at 17:00 +0100, Marco Gaiarin via samba wrote:

> I'm forced, for legacy reasons, to use 'syncpassword'.
> Docs are scarce, so i ask here.
>
>
> Seems to me that the ''consumer'' (eg, 'samba-tool user
> syncpasswords',
> with or without '--daemon') get activated after every password
> change,
> indipendently on what DC get originated (eg, i've changed a password,
> see previous email, on DC2 and the 'syncpassword' script get called
> on
> DC1).
>
> So seems to me that all that stuff (minus the GPG key and the
> 'password hash gpg key ids = 1234567890ABCDEF' in smb.conf) it
> suffices/have to
> be installed on *ONE* DC.
>
> Right?

Yes, because the passwords are stored into the directory and GPG
encrypted there.  Note that with Samba 4.7 you can also store the
crypt() style sha256 passwords without needing encrypted paintext, but
it works the same otherwise.

> If yes, 'it suffices' or 'have to'? Eg, if i install on every DC
> i get some sort of ''failover'' system (eg, the LDAP change get
> ''consumed'' one time), or simply i've my script called for every DC?

Well, if you install it on multiple DCs you will have duplicate updates
of your other password system.  The idea is that you install it on one
DC so you only reset or change the password once for every real change.

The syncpasswords tool maintains local state to work out where it is at
in the set of passwords to sync.

I hope this clarifies things,

Andrew Bartlett
--
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT  
https://catalyst.net.nz/services/samba





--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Password change question/2: 'syncpassword' suffices on *ONE* DC?

Samba - General mailing list
Mandi! Andrew Bartlett via samba
  In chel di` si favelave...

> I hope this clarifies things,

Super clear! Thanks!

--
dott. Marco Gaiarin        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''          http://www.lanostrafamiglia.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

                Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
      http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
        (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba