<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type"> </head> <body bgcolor="#ffffff" text="#000000"> Richard Megginson wrote: <blockquote cite="mid:46CD9587.9040508@redhat.com" type="cite">Howard Wilkinson wrote: <blockquote type="cite">I think I have worked this out but want ot make sure I have got it correct! Whereas the sync agreement for the FDS <-> AD is from a single FDS server to a single AD domain controller the Passsync facilitiy needs to be installed on all Domain Controllers (am I right?) The reason for this is that the password is hashed before injection into the AD </blockquote> Are you sure about this? What application does the hashing? AFAIK, AD needs the clear text password in order to do its own specific hashing and encryption. </blockquote> This may be terminology, AD is a collection of services running on the Domain Controllers. One of these services is replication which processes the transfer of strictly LDAP based information. By the time replication gets the data therefore the password has been hashed (I am relatively sure about this). The password change hook is called on the domain controller that accepted the password change prior to the hash is applied - YES??? Again I think I have this right! Therefore whichever DC gets to take part in the password change is going to need the passsync service. I am looking for someone to definitively confirm or deny this premise as I need to push this service out to multiple controllers and include it in new builds. <blockquote cite="mid:46CD9587.9040508@redhat.com" type="cite"> <blockquote type="cite">and propagated to other DC's so it is then useless to the Passsync code. The hook therefore needs to be on the DC that receives the password change, which can be any DC in the environment.... </blockquote> FDS must get the clear text password in order to perform its own hashing which is different from the way AD does hashing. </blockquote> Got that, hence my concern with placement of the passsync service <blockquote cite="mid:46CD9587.9040508@redhat.com" type="cite"> <blockquote type="cite"> A further concern arises with a multi-master FDS and a multiple DC AD. Can the system be set up with multiple FDS <-> AD sync agreements and still allow the results to propagate within the FDS. This would make sense from a fault-tolerant perspective, and off-hand I think the replications should preserve behaviour, but can anybody spot a problem? </blockquote> This gets a little tricky. In general, AD <-> FDS sync is a simple synchronization protocol, not a full blown multi-master replication protocol as FDS to FDS or AD to AD. FDS cannot be a full replication peer with AD. However, samba4 is getting closer and closer . . . </blockquote> But if I have 2 FDS servers running in multi-master and they both have synchronisation agreements with a single DC will they fight each other, and can they fight the DC's - deletes are the obvious problem. The ideal topology would have each of a multi-master set of FDS talking to more than one DC each allowing any system to fail and the services carrying providing up to date functionality. Samba4 is something I would love to have but it looks a long way off as far as a replacement for what we have today... :-( Another thing about multi-master FDS's is which FDS should a DC talk to for its passsync updates? Ideally each DC would pick a different FDS or more than one if the first failed. .... Fault tolerance is fun... <blockquote cite="mid:46CD9587.9040508@redhat.com" type="cite"> <blockquote type="cite">-- Howard Wilkinson Phone: +44(20)76907075 Coherent Technology Limited Fax: 23 Northampton Square, Mobile: +44(7980)639379 United Kingdom, EC1V 0HL Email: <a class="moz-txt-link-abbreviated" href="mailto:howard@cohtech.com">howard@cohtech.com</a> ------------------------------------------------------------------------ -- Fedora-directory-users mailing list <a class="moz-txt-link-abbreviated" href="mailto:Fedora-directory-users@redhat.com">Fedora-directory-users@redhat.com</a> <a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/fedora-directory-users">https://www.redhat.com/mailman/listinfo/fedora-directory-users</a> </blockquote> <pre wrap=""> <hr size="4" width="90%"> -- Fedora-directory-users mailing list <a class="moz-txt-link-abbreviated" href="mailto:Fedora-directory-users@redhat.com">Fedora-directory-users@redhat.com</a> <a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/fedora-directory-users">https://www.redhat.com/mailman/listinfo/fedora-directory-users</a> </pre> </blockquote> <div class="moz-signature">-- <title>Signature</title> <div class="Section1"> <table class="MsoNormalTable" style="width: 100%;" border="0" cellpadding="0" width="100%"> <tbody> <tr style=""> <td style="padding: 1.5pt;" valign="top"> Howard Wilkinson </td> <td style="padding: 1.5pt;" valign="top"> Phone: </td> <td style="padding: 1.5pt;" valign="top"> +44(20)76907075 </td> </tr> <tr style=""> <td style="padding: 1.5pt;" valign="top"> Coherent Technology Limited </td> <td style="padding: 1.5pt;" valign="top"> Fax: </td> <td style="padding: 1.5pt;" valign="top"> </td> </tr> <tr style=""> <td style="padding: 1.5pt;" valign="top"> 23 Northampton Square, </td> <td style="padding: 1.5pt;" valign="top"> Mobile: </td> <td style="padding: 1.5pt;" valign="top"> +44(7980)639379 </td> </tr> <tr style=""> <td style="padding: 1.5pt;" valign="top"> United Kingdom, EC1V 0HL </td> <td style="padding: 1.5pt;" valign="top"> Email: </td> <td style="padding: 1.5pt;" valign="top"> <a name="howardcohtech.com"></a><a class="moz-txt-link-abbreviated" href="mailto:howard@cohtech.com">howard@cohtech.com</a> </td> </tr> </tbody> </table> </div> </div> </body> </html>