Brian M Hoy wrote:
Summary
The second point happens, because the PC will _occasionally_ use a
different DC to authenticate against (it's secure channel partner in MS
parlance). If it just so happens to change its machine account password
with this SCP, then the machine's domain membership is broken next time
it uses its "normal" SCP.
My Workaround
I have a written a Perl script which fetches the machine account details
from every LDAP server on our network and then figures out which one has
the most recent machine account password, and then submits the change to
the LDAP master so that it is replicated everywhere, thereby getting
around these problems. It works, but is not ideal
A quick look at the Samba source suggests that it would not handle LDAP
referrals. Am I right here? If it did, then LDAP could be configured
to give a referral to the LDAP master for changes, solving the problem
(at least for LDAP users).
samba 2.2.8 may help:
16) Fixes for --with-ldapsam
* Default to port 389 when "ldap ssl != on"
* add support for rebinding to the master directory server
for password changes when "ldap server" points to a read-only
slave
--
____________________________________________________
Ignacio Coupeau, Ph.D. [EMAIL PROTECTED]
CTI, Director [EMAIL PROTECTED]
University of Navarra [EMAIL PROTECTED]
Pamplona, SPAIN http://www.unav.es/cti/
