[Fedora-directory-users] Installing passsync in a AD domain with multiple domain controllers?

Thu Aug 23 14:49:50 UTC 2007

Howard Wilkinson wrote:
> Richard Megginson wrote:
>> Howard Wilkinson wrote:
>>> I think I have worked this out but want ot make sure I have got it 
>>> correct!
>>>
>>> Whereas the sync agreement for the FDS <-> AD is from a single FDS 
>>> server to a single AD domain controller the Passsync facilitiy needs 
>>> to be installed on all Domain Controllers (am I right?)
>>>
>>> The reason for this is that the password is hashed before injection 
>>> into the AD
>> Are you sure about this?  What application does the hashing?  AFAIK, 
>> AD needs the clear text password in order to do its own specific 
>> hashing and encryption.
> This may be terminology, AD is a collection of services running on the 
> Domain Controllers. One of these services is replication which 
> processes the transfer of strictly LDAP based information. By the time 
> replication gets the data therefore the password has been hashed (I am 
> relatively sure about this).
Ok.
> The password change hook is called on the domain controller that 
> accepted the password change prior to the hash is applied - YES???
Yes.
> Again I think I have this right! Therefore whichever DC gets to take 
> part in the password change is going to need the passsync service.
Ok.  That sounds right then.
>
> I am looking for someone to definitively confirm or deny this premise 
> as I need to push this service out to multiple controllers and include 
> it in new builds.
>>> and propagated to other DC's so it is then useless to the Passsync 
>>> code. The hook therefore needs to be on the DC that receives the 
>>> password change, which can be any DC in the environment....
>> FDS must get the clear text password in order to perform its own 
>> hashing which is different from the way AD does hashing.
> Got that, hence my concern with placement of the passsync service
>>>
>>> A further concern arises with a multi-master FDS and  a multiple DC 
>>> AD. Can the system be set up with multiple FDS <-> AD sync 
>>> agreements and still allow the results to propagate within the FDS. 
>>> This would make sense from a fault-tolerant perspective, and 
>>> off-hand I think the replications should preserve behaviour, but can 
>>> anybody spot a problem?
>> This gets a little tricky.  In general, AD <-> FDS sync is a simple 
>> synchronization protocol, not a full blown multi-master replication 
>> protocol as FDS to FDS or AD to AD.  FDS cannot be a full replication 
>> peer with AD.  However, samba4 is getting closer and closer . . .
> But if I have 2 FDS servers running in multi-master and they both have 
> synchronisation agreements with a single DC will they fight each 
> other, and can they fight the DC's - deletes are the obvious problem. 
> The ideal topology would have each of a multi-master set of FDS 
> talking to more than one DC each allowing any system to fail and the 
> services carrying providing up to date functionality.
>
> Samba4 is something I would love to have but it looks a long way off 
> as far as a replacement for what we have today... :-(
>
> Another thing about multi-master FDS's is which FDS should a DC talk 
> to for its passsync updates? Ideally each DC would pick a different 
> FDS or more than one  if the first failed. .... Fault tolerance is fun...
Yes, I'm not sure how fault tolerance works with passsync.
>>> -- 
>>>
>>> Howard Wilkinson
>>>
>>>     
>>>
>>> Phone:
>>>
>>>     
>>>
>>> +44(20)76907075
>>>
>>> Coherent Technology Limited
>>>
>>>     
>>>
>>> Fax:
>>>
>>>     
>>>
>>>  
>>>
>>> 23 Northampton Square,
>>>
>>>     
>>>
>>> Mobile:
>>>
>>>     
>>>
>>> +44(7980)639379
>>>
>>> United Kingdom, EC1V 0HL
>>>
>>>     
>>>
>>> Email:
>>>
>>>     
>>>
>>> howard at cohtech.com
>>>
>>>  
>>>
>>> ------------------------------------------------------------------------ 
>>>
>>>
>>> -- 
>>> Fedora-directory-users mailing list
>>> Fedora-directory-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>   
>>
>> ------------------------------------------------------------------------
>>
>> --
>> Fedora-directory-users mailing list
>> Fedora-directory-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>   
>
>
> -- 
>
> Howard Wilkinson
>
> 	
>
> Phone:
>
> 	
>
> +44(20)76907075
>
> Coherent Technology Limited
>
> 	
>
> Fax:
>
> 	
>
>  
>
> 23 Northampton Square,
>
> 	
>
> Mobile:
>
> 	
>
> +44(7980)639379
>
> United Kingdom, EC1V 0HL
>
> 	
>
> Email:
>
> 	
>
> howard at cohtech.com
>
>  
>
> ------------------------------------------------------------------------
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>   

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20070823/159662ac/attachment.bin>