use of a DNS cache in front of samba4 internal DNS

[David Mansfield]

On 02/13/2013 01:53 PM, Marc Muehlfeld wrote:
> Hello,
>
> Am 13.02.2013 17:58, schrieb David Mansfield:
>> In particular I'd like postfix to auth. my users, and as I understand it
>> I have two options, one is to join the machine to the domain
>> (pam_winbind) and then postfix will authenticate that way (via pam), and
>> the other would be to use postfix with SASL and in turn have sasl use
>> kerberos5 or ldap.
>>
>> In case anyone has read this far and has suggestions, I'd love to hear
>> them, and also w.r.t using sasl and kerberos5, how do I set up a keytab
>> and SPN using samba4?  I've googled and googled and cannot seem to get
>> it straight.
>
>
> This is, how I had solved this:
>
> Here I have in my internal network my samba4 DC and in the DMZ my
> mailserver.
>
> On my mailserver I have installed openLDAP in proxy mode against AD:
> https://wiki.samba.org/index.php/Samba4/beyond#openLDAP_proxy_to_AD
>
>
> Then I made the AD users available on my mailserver by nslcd over the
> openLDAP proxy:
> https://wiki.samba.org/index.php/Samba4/beyond#Nslcd:_User.2FGroups_from_AD_through_openLDAP_proxy
>
>
>
> And finally I had configured, that the users where authenticated against
> AD (through the openLDAP proxy):
> https://wiki.samba.org/index.php/Samba4/beyond#Authentication_against_AD_through_openLDAP_proxy
>
>

This is great info.  I may do the exact same thing as you have 
described.  I have a few followup questions: do you know if this 
configuration can coexist with GSSAPI authentication? I'd like for users 
on the network to be able to single-sign-on (and outside users still 
require password), although given the cleanliness of your approach it 
may be worth sacrificing.  I especially like that there are no DNS 
changes, no winbind etc.

Second question, when you have a "connect account" (e.g. 
cn=nslcd-connect,cn=Users,...), how should such an account be 
provisioned so that the privileges are as low as possible?

Thanks,