[Samba] Read Only DC in one way only
Rowland Penny
rpenny at samba.org
Fri Sep 15 10:07:51 UTC 2017
On Fri, 15 Sep 2017 10:38:27 +0200
Robert Leuter via samba <samba at lists.samba.org> wrote:
> Greetings to all,
>
> I've got a quick question regarding the RODC functionality. We have a
> web application in the DMZ, which has to use the user authentication
> from our domain. So we want to use the LDAP backend to talk to the
> domain and check the credentials. The problem we are running into
> right now is that the webserver can not talk into the LAN and make
> requests via LDAP. So we searched for a solution and found the ROCD.
> The idea is, that the ROCD is located in the DMZ. The ROCD then gets
> replicated in only one way (First question: is that even possible to
> talk in one way?), so we can ask the ROCD via LDAP for the
> authentication.
>
> MAIN DC (LAN) ---> ROCD (DMZ) (Only connections from inside to
> outside)
>
> Web App (DMZ) --> ROCD (DMZ)
>
> How would you solve this problem, that we need domain user accounts
> in the "evil" internet? Of course, it would be a major security flaw
> if we opened the DMZ ports to the LAN. So keep that in mind please.
>
> We would be very pleased for an answer.
>
> Greetings from Germany,
>
> Robert Leuter
>
>
>
>
I would suggest you go and read this:
https://www.linkedin.com/pulse/active-directory-dmz-nuts-marcus-rivera
If you do decide to try putting a Samba RODC in the DMZ, you should be
aware they DO NOT work yet, this will change when 4.7.0 comes out (end
of month hopefully)
Rowland
More information about the samba
mailing list