Should Samba-tool RODC preload be run periodically?

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Should Samba-tool RODC preload be run periodically?

Samba - General mailing list
Hello list,

I run “samba-tool rodc preload” for multiple users. If one of this users change his password, should I repeat the preload call? (I suppose yes, I need to rerun)
If I need to rerun samba-tool, can user login with his old password till its expire? (I suppose yes?)

Thank you.
----------------------------------------------------------------------------------------------------------
Andrej Gessel ([hidden email]<mailto:[hidden email]>)
Entwicklung Software
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Should Samba-tool RODC preload be run periodically?

Samba - General mailing list
On Tue, 2017-11-28 at 15:03 +0000, Andrej Gessel via samba wrote:
> Hello list,
>
> I run “samba-tool rodc preload” for multiple users. If one of this users change his password, should I repeat the preload call? (I suppose yes, I need to rerun)
> If I need to rerun samba-tool, can user login with his old password till its expire? (I suppose yes?)

The design is that we get a replication event with a blank password in
it, causing the password to be wiped locally.  That triggers the next
login to go via the master DC which if successful triggers a async
replication of the new password.

So, it is meant to be safe for password change/reset, and there are
tests for this.

Thanks for asking!

Andrew Bartlett

--
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Should Samba-tool RODC preload be run periodically?

Samba - General mailing list
On Wed, 2017-11-29 at 07:26 +1300, Andrew Bartlett via samba wrote:

> On Tue, 2017-11-28 at 15:03 +0000, Andrej Gessel via samba wrote:
> > Hello list,
> >
> > I run “samba-tool rodc preload” for multiple users. If one of this users change his password, should I repeat the preload call? (I suppose yes, I need to rerun)
> > If I need to rerun samba-tool, can user login with his old password till its expire? (I suppose yes?)
>
> The design is that we get a replication event with a blank password in
> it, causing the password to be wiped locally.  That triggers the next
> login to go via the master DC which if successful triggers a async
> replication of the new password.
>
> So, it is meant to be safe for password change/reset, and there are
> tests for this.

I should point out that the RODC is only working and secure in Samba
4.7 and above.

Thanks,

Andrew Bartlett
--
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Should Samba-tool RODC preload be run periodically?

Samba - General mailing list
Hello Andrew,

thank you for the answer.

1) User credentials need to be preloaded with samba-tool to be
automatically replicated later if they change, its correct?

2) And if user try to login on RODC without preloaded credentials, this
credentials will not be cached? (as described in samba wiki)

We using Samba 4.7.3 for RODC.


Thanks


Am 28.11.2017 um 19:55 schrieb Andrew Bartlett:

> On Wed, 2017-11-29 at 07:26 +1300, Andrew Bartlett via samba wrote:
>> On Tue, 2017-11-28 at 15:03 +0000, Andrej Gessel via samba wrote:
>>> Hello list,
>>>
>>> I run “samba-tool rodc preload” for multiple users. If one of this users change his password, should I repeat the preload call? (I suppose yes, I need to rerun)
>>> If I need to rerun samba-tool, can user login with his old password till its expire? (I suppose yes?)
>> The design is that we get a replication event with a blank password in
>> it, causing the password to be wiped locally.  That triggers the next
>> login to go via the master DC which if successful triggers a async
>> replication of the new password.
>>
>> So, it is meant to be safe for password change/reset, and there are
>> tests for this.
> I should point out that the RODC is only working and secure in Samba
> 4.7 and above.
>
> Thanks,
>
> Andrew Bartlett

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Should Samba-tool RODC preload be run periodically?

Samba - General mailing list
On Thu, 2017-11-30 at 15:46 +0000, Andrej Gessel via samba wrote:
> Hello Andrew,
>
> thank you for the answer.
>
> 1) User credentials need to be preloaded with samba-tool to be
> automatically replicated later if they change, its correct?

No, preloading just makes the first login faster.

> 2) And if user try to login on RODC without preloaded credentials, this
> credentials will not be cached? (as described in samba wiki)

No, the criteria for being cached is if the user account is in the
allowed rodc replication group and not in the denied one.

Can you point me at the incorrect section of the wiki?

> We using Samba 4.7.3 for RODC.

Good.

Andrew Bartlett
--
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Should Samba-tool RODC preload be run periodically?

Samba - General mailing list
On Fri, 01 Dec 2017 06:34:55 +1300
Andrew Bartlett via samba <[hidden email]> wrote:

> On Thu, 2017-11-30 at 15:46 +0000, Andrej Gessel via samba wrote:
> > Hello Andrew,
> >
> > thank you for the answer.
> >
> > 1) User credentials need to be preloaded with samba-tool to be
> > automatically replicated later if they change, its correct?
>
> No, preloading just makes the first login faster.
>
> > 2) And if user try to login on RODC without preloaded credentials,
> > this credentials will not be cached? (as described in samba wiki)
>
> No, the criteria for being cached is if the user account is in the
> allowed rodc replication group and not in the denied one.
>
> Can you point me at the incorrect section of the wiki?
>

Hi Andrew, it is here:

https://wiki.samba.org/index.php/Join_a_domain_as_a_RODC

Rowland



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Should Samba-tool RODC preload be run periodically?

Samba - General mailing list
On Thu, 2017-11-30 at 17:51 +0000, Rowland Penny via samba wrote:

> On Fri, 01 Dec 2017 06:34:55 +1300
> Andrew Bartlett via samba <[hidden email]> wrote:
>
> >
> > Can you point me at the incorrect section of the wiki?
> >
>
> Hi Andrew, it is here:
>
> https://wiki.samba.org/index.php/Join_a_domain_as_a_RODC

Thanks.  I've clarified the text, in particular the confusing 'must'
regarding the preload.

Andrew Bartlett
--
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba