[Samba] Should Samba-tool RODC preload be run periodically?
Andrej Gessel
Andrej.Gessel at janztec.com
Thu Nov 30 15:46:59 UTC 2017
Hello Andrew,
thank you for the answer.
1) User credentials need to be preloaded with samba-tool to be
automatically replicated later if they change, its correct?
2) And if user try to login on RODC without preloaded credentials, this
credentials will not be cached? (as described in samba wiki)
We using Samba 4.7.3 for RODC.
Thanks
Am 28.11.2017 um 19:55 schrieb Andrew Bartlett:
> On Wed, 2017-11-29 at 07:26 +1300, Andrew Bartlett via samba wrote:
>> On Tue, 2017-11-28 at 15:03 +0000, Andrej Gessel via samba wrote:
>>> Hello list,
>>>
>>> I run “samba-tool rodc preload” for multiple users. If one of this users change his password, should I repeat the preload call? (I suppose yes, I need to rerun)
>>> If I need to rerun samba-tool, can user login with his old password till its expire? (I suppose yes?)
>> The design is that we get a replication event with a blank password in
>> it, causing the password to be wiped locally. That triggers the next
>> login to go via the master DC which if successful triggers a async
>> replication of the new password.
>>
>> So, it is meant to be safe for password change/reset, and there are
>> tests for this.
> I should point out that the RODC is only working and secure in Samba
> 4.7 and above.
>
> Thanks,
>
> Andrew Bartlett
More information about the samba
mailing list