[Samba] DMZ Kerberos authentication, is Samba needed or helpful?

[Nico Kadel-Garcia]

I'm dealing with an environment with AD servers in a normal working
environment, all working and happy. I'm using bare Kerberos
authentication for my Linux hosts to authenticate local accounts
against the AD server, all well and good, I've not needed to integrate
LDAP support and don't want to.

But there are DMZ VLAN's with hosts exposed directly to the Internet.
I'd like to allow those hosts similar authentication, and do *NOT*
want to slap an AD server into the DMZ, for more security reasons than
I can count. What I'd love to do is to set up either a Samba server,
slaved to the master AD servers, to handle authentication and *not*
allow propagating any changes to AD servers, basically a pure slave
server. This way, I can do it on a far more secure Linux system than
most AD servers could ever hope to be and protect it from the DMZ
hosts or accidental external exposure.

Or, if I can do it, just set up a pure Kerberos slave. Again, I can
secure that a lot more than I can hope to secure an AD server. And I'd
love to have that *only* handle authentication, not allow password
changing or queries against the Kerberos.

Will I need or benefit from Samba for this? Or has someone here done
the simple Kerberos slave setup and can point me to some notes?

[ In case it's not clear, I wrote some of the early Samba ports to
SunOS, so I know the basic capabilities and architecture. ]