[Samba] Read Only DC in one way only

Rowland Penny rpenny at samba.org
Fri Sep 15 10:07:51 UTC 2017

On Fri, 15 Sep 2017 10:38:27 +0200
Robert Leuter via samba <samba at lists.samba.org> wrote:

> Greetings to all,
> I've got a quick question regarding the RODC functionality. We have a
> web application in the DMZ, which has to use the user authentication
> from our domain. So we want to use the LDAP backend to talk to the
> domain and check the credentials. The problem we are running into
> right now is that the webserver can not talk into the LAN and make
> requests via LDAP. So we searched for a solution and found the ROCD.
> The idea is, that the ROCD is located in the DMZ. The ROCD then gets
> replicated in only one way (First question: is that even possible to
> talk in one way?), so we can ask the ROCD via LDAP for the
> authentication.
> MAIN DC (LAN) ---> ROCD (DMZ) (Only connections from inside to
> outside)
> Web App (DMZ) --> ROCD (DMZ)
> How would you solve this problem, that we need domain user accounts
> in the "evil" internet? Of course, it would be a major security flaw
> if we opened the DMZ ports to the LAN. So keep that in mind please.
> We would be very pleased for an answer.
> Greetings from Germany,
> Robert Leuter

I would suggest you go and read this:


If you do decide to try putting a Samba RODC in the DMZ, you should be
aware they DO NOT work yet, this will change when 4.7.0 comes out (end
of month hopefully)


More information about the samba mailing list