[Samba] DMZ Kerberos authentication, is Samba needed or helpful?

[Andrew Bartlett]

On Sat, 2012-06-30 at 13:14 -0400, Nico Kadel-Garcia wrote:
> I'm dealing with an environment with AD servers in a normal working
> environment, all working and happy. I'm using bare Kerberos
> authentication for my Linux hosts to authenticate local accounts
> against the AD server, all well and good, I've not needed to integrate
> LDAP support and don't want to.
> 
> But there are DMZ VLAN's with hosts exposed directly to the Internet.
> I'd like to allow those hosts similar authentication, and do *NOT*
> want to slap an AD server into the DMZ, for more security reasons than
> I can count. What I'd love to do is to set up either a Samba server,
> slaved to the master AD servers, to handle authentication and *not*
> allow propagating any changes to AD servers, basically a pure slave
> server. This way, I can do it on a far more secure Linux system than
> most AD servers could ever hope to be and protect it from the DMZ
> hosts or accidental external exposure.
> 
> Or, if I can do it, just set up a pure Kerberos slave. Again, I can
> secure that a lot more than I can hope to secure an AD server. And I'd
> love to have that *only* handle authentication, not allow password
> changing or queries against the Kerberos.
> 
> Will I need or benefit from Samba for this? Or has someone here done
> the simple Kerberos slave setup and can point me to some notes?
> 
> [ In case it's not clear, I wrote some of the early Samba ports to
> SunOS, so I know the basic capabilities and architecture. ]

Samba 4.0 as an AD RODC would seem to fit the bill here.  

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org