[Fedora-directory-users] Installing passsync in a AD domain with multiple domain controllers?
Richard Megginson
rmeggins at redhat.com
Thu Aug 23 14:49:50 UTC 2007
Howard Wilkinson wrote:
> Richard Megginson wrote:
>> Howard Wilkinson wrote:
>>> I think I have worked this out but want ot make sure I have got it
>>> correct!
>>>
>>> Whereas the sync agreement for the FDS <-> AD is from a single FDS
>>> server to a single AD domain controller the Passsync facilitiy needs
>>> to be installed on all Domain Controllers (am I right?)
>>>
>>> The reason for this is that the password is hashed before injection
>>> into the AD
>> Are you sure about this? What application does the hashing? AFAIK,
>> AD needs the clear text password in order to do its own specific
>> hashing and encryption.
> This may be terminology, AD is a collection of services running on the
> Domain Controllers. One of these services is replication which
> processes the transfer of strictly LDAP based information. By the time
> replication gets the data therefore the password has been hashed (I am
> relatively sure about this).
Ok.
> The password change hook is called on the domain controller that
> accepted the password change prior to the hash is applied - YES???
Yes.
> Again I think I have this right! Therefore whichever DC gets to take
> part in the password change is going to need the passsync service.
Ok. That sounds right then.
>
> I am looking for someone to definitively confirm or deny this premise
> as I need to push this service out to multiple controllers and include
> it in new builds.
>>> and propagated to other DC's so it is then useless to the Passsync
>>> code. The hook therefore needs to be on the DC that receives the
>>> password change, which can be any DC in the environment....
>> FDS must get the clear text password in order to perform its own
>> hashing which is different from the way AD does hashing.
> Got that, hence my concern with placement of the passsync service
>>>
>>> A further concern arises with a multi-master FDS and a multiple DC
>>> AD. Can the system be set up with multiple FDS <-> AD sync
>>> agreements and still allow the results to propagate within the FDS.
>>> This would make sense from a fault-tolerant perspective, and
>>> off-hand I think the replications should preserve behaviour, but can
>>> anybody spot a problem?
>> This gets a little tricky. In general, AD <-> FDS sync is a simple
>> synchronization protocol, not a full blown multi-master replication
>> protocol as FDS to FDS or AD to AD. FDS cannot be a full replication
>> peer with AD. However, samba4 is getting closer and closer . . .
> But if I have 2 FDS servers running in multi-master and they both have
> synchronisation agreements with a single DC will they fight each
> other, and can they fight the DC's - deletes are the obvious problem.
> The ideal topology would have each of a multi-master set of FDS
> talking to more than one DC each allowing any system to fail and the
> services carrying providing up to date functionality.
>
> Samba4 is something I would love to have but it looks a long way off
> as far as a replacement for what we have today... :-(
>
> Another thing about multi-master FDS's is which FDS should a DC talk
> to for its passsync updates? Ideally each DC would pick a different
> FDS or more than one if the first failed. .... Fault tolerance is fun...
Yes, I'm not sure how fault tolerance works with passsync.
>>> --
>>>
>>> Howard Wilkinson
>>>
>>>
>>>
>>> Phone:
>>>
>>>
>>>
>>> +44(20)76907075
>>>
>>> Coherent Technology Limited
>>>
>>>
>>>
>>> Fax:
>>>
>>>
>>>
>>>
>>>
>>> 23 Northampton Square,
>>>
>>>
>>>
>>> Mobile:
>>>
>>>
>>>
>>> +44(7980)639379
>>>
>>> United Kingdom, EC1V 0HL
>>>
>>>
>>>
>>> Email:
>>>
>>>
>>>
>>> howard at cohtech.com
>>>
>>>
>>>
>>> ------------------------------------------------------------------------
>>>
>>>
>>> --
>>> Fedora-directory-users mailing list
>>> Fedora-directory-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>
>>
>> ------------------------------------------------------------------------
>>
>> --
>> Fedora-directory-users mailing list
>> Fedora-directory-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>
>
>
> --
>
> Howard Wilkinson
>
>
>
> Phone:
>
>
>
> +44(20)76907075
>
> Coherent Technology Limited
>
>
>
> Fax:
>
>
>
>
>
> 23 Northampton Square,
>
>
>
> Mobile:
>
>
>
> +44(7980)639379
>
> United Kingdom, EC1V 0HL
>
>
>
> Email:
>
>
>
> howard at cohtech.com
>
>
>
> ------------------------------------------------------------------------
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20070823/159662ac/attachment.bin>
More information about the Fedora-directory-users
mailing list