samba - Nov 2017 - Should Samba-tool RODC preload be run periodically?

Hello list,

I run “samba-tool rodc preload” for multiple users. If one of this users change
his password, should I repeat the preload call? (I suppose yes, I need to rerun)
If I need to rerun samba-tool, can user login with his old password till its
expire? (I suppose yes?)

Thank you.
----------------------------------------------------------------------------------------------------------
Andrej Gessel (andrej.gessel at janztec.com<mailto:andrej.gessel at
janztec.com>)
Entwicklung Software

On Tue, 2017-11-28 at 15:03 +0000, Andrej Gessel via samba
wrote:
> Hello list,
> 
> I run “samba-tool rodc preload” for multiple users. If one of this users
change his password, should I repeat the preload call? (I suppose yes, I need to
rerun)
> If I need to rerun samba-tool, can user login with his old password till
its expire? (I suppose yes?)
The design is that we get a replication event with a blank password in
it, causing the password to be wiped locally.  That triggers the next
login to go via the master DC which if successful triggers a async
replication of the new password.

So, it is meant to be safe for password change/reset, and there are
tests for this.

Thanks for asking!

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

On Wed, 2017-11-29 at 07:26 +1300, Andrew Bartlett via samba
wrote:
> On Tue, 2017-11-28 at 15:03 +0000, Andrej Gessel via samba wrote:
> > Hello list,
> > 
> > I run “samba-tool rodc preload” for multiple users. If one of this
users change his password, should I repeat the preload call? (I suppose yes, I
need to rerun)
> > If I need to rerun samba-tool, can user login with his old password
till its expire? (I suppose yes?)
> 
> The design is that we get a replication event with a blank password in
> it, causing the password to be wiped locally.  That triggers the next
> login to go via the master DC which if successful triggers a async
> replication of the new password.
> 
> So, it is meant to be safe for password change/reset, and there are
> tests for this.
I should point out that the RODC is only working and secure in Samba
4.7 and above. 

Thanks,

Andrew Bartlett
-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba