Installing passsync in a AD domain with multiple domain controllers?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Howard Wilkinson wrote:
> I think I have worked this out but want ot make sure I have got it 
> correct!
>
> Whereas the sync agreement for the FDS <-> AD is from a single FDS 
> server to a single AD domain controller the Passsync facilitiy needs 
> to be installed on all Domain Controllers (am I right?)
>
> The reason for this is that the password is hashed before injection 
> into the AD
Are you sure about this?  What application does the hashing?  AFAIK, AD 
needs the clear text password in order to do its own specific hashing 
and encryption.
> and propagated to other DC's so it is then useless to the Passsync 
> code. The hook therefore needs to be on the DC that receives the 
> password change, which can be any DC in the environment....
FDS must get the clear text password in order to perform its own hashing 
which is different from the way AD does hashing.
>
> A further concern arises with a multi-master FDS and  a multiple DC 
> AD. Can the system be set up with multiple FDS <-> AD sync agreements 
> and still allow the results to propagate within the FDS. This would 
> make sense from a fault-tolerant perspective, and off-hand I think the 
> replications should preserve behaviour, but can anybody spot a problem?
This gets a little tricky.  In general, AD <-> FDS sync is a simple 
synchronization protocol, not a full blown multi-master replication 
protocol as FDS to FDS or AD to AD.  FDS cannot be a full replication 
peer with AD.  However, samba4 is getting closer and closer . . .
> -- 
>
> Howard Wilkinson
>
> 	
>
> Phone:
>
> 	
>
> +44(20)76907075
>
> Coherent Technology Limited
>
> 	
>
> Fax:
>
> 	
>
>  
>
> 23 Northampton Square,
>
> 	
>
> Mobile:
>
> 	
>
> +44(7980)639379
>
> United Kingdom, EC1V 0HL
>
> 	
>
> Email:
>
> 	
>
> howard at cohtech.com
>
>  
>
> ------------------------------------------------------------------------
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>   

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.fedoraproject.org/pipermail/389-users/attachments/20070823/977e880e/attachment.bin
[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux