[Samba] Samba 4.8 RODC not working

Rowland Penny rpenny at samba.org
Thu Jun 14 10:23:13 UTC 2018

On Thu, 14 Jun 2018 10:23:56 +0200 (CEST)
Gaetan SLONGO <gslongo at it-optics.com> wrote:

> Hi Rowaland, 
> I read the doc. 
> The reason is the usual one. We need authentication inside the DMZ
> zone and do not want any modification from this zone. We also need a
> fileserver into this zone where corporate users can log-in. We are
> asked to keep the solution simple, easy to understand an maintain. I
> can force authentication to this DC instead of choosing the DC
> "randomly". 
> So, do you see better solution than RODC ? 

Yes, do not do it ;-)

You say that you are going to put a fileserver into the DMZ as well and
your users will log into this. This means that the RODC will have to
ask a DC to authenticate the users, this means punching holes in the
firewall between your DMZ and internal network, any extra holes in a
firewall are a security risk.
Also by putting the fileserver in the DMZ, you are placing there,
something that will very very probably cache usernames and passwords.

It is your network and you may get to pick up the pieces if it all goes


More information about the samba mailing list