I looked all over the place, and cannot find current answer. I want to store passwords/password hashes on my RODC, so that when my DC (Windows) fails, my users can still connect using RODC. The current state that is described (by 3 years old docs) says its WIP, so I'm not sure what to expect? Also, in documentation there is no option, to allow for preloading whole group of users, is that correct? The only possible way is to preload 1 user at a time? (Only if the previous answer is "yes" ofc) Regards, Miko?aj
On Fri, 2015-05-15 at 14:38 +0200, Miko?aj Liberski wrote:> I looked all over the place, and cannot find current answer. > > I want to store passwords/password hashes on my RODC, so that when my DC > (Windows) fails, my users can still connect using RODC. > > The current state that is described (by 3 years old docs) says its WIP, so > I'm not sure what to expect?It will appear to work in some situations, but I'm not confident, for example, that if you change a user's password, that we will correctly see that on the RODC. Also, preload due to a bad/missing Kerberos password isn't implemented. I'm sure some of our users are bold, and perhaps they have a real-world experience, but I would like to see it backed by significantly more tests before it was used in production.> Also, in documentation there is no option, to allow for preloading whole > group of users, is that correct? The only possible way is to preload 1 user > at a time? (Only if the previous answer is "yes" ofc)Yes, preloading is something you will have to do per-user. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
Am Samstag, den 16.05.2015, 07:05 +0200 schrieb Andrew Bartlett:> It will appear to work in some situations, but I'm not confident, for > example, that if you change a user's password, that we will correctly > see that on the RODC. Also, preload due to a bad/missing Kerberos > password isn't implemented. >Yes, my still little experience is, that, if somebody changes his password and the connection between RODC and DC gets offline, the RODC has still the old password in its cache. So you have to preload again the user to get his new password into the RODC-Cache.> > Also, in documentation there is no option, to allow for preloading whole > > group of users, is that correct? The only possible way is to preload 1 user > > at a time? (Only if the previous answer is "yes" ofc) > > Yes, preloading is something you will have to do per-user.Yes, it seems that this works only on per-user basis. Greetings, Roman