[Samba] Samba 4.8 RODC not working
Gaetan SLONGO
gslongo at it-optics.com
Thu Jun 14 10:35:56 UTC 2018
Hi,
Ok I understand your point of view. So what do you advise ? Creating separated domain dedicated to DMZ ?
I was thinking to manage security using strict firewall rules but yes, this is a hole..
Thanks
----- Mail original -----
De: "Rowland Penny via samba" <samba at lists.samba.org>
À: samba at lists.samba.org
Envoyé: Jeudi 14 Juin 2018 12:23:13
Objet : Re: [Samba] Samba 4.8 RODC not working
On Thu, 14 Jun 2018 10:23:56 +0200 (CEST)
Gaetan SLONGO <gslongo at it-optics.com> wrote:
> Hi Rowaland,
>
>
> I read the doc.
> The reason is the usual one. We need authentication inside the DMZ
> zone and do not want any modification from this zone. We also need a
> fileserver into this zone where corporate users can log-in. We are
> asked to keep the solution simple, easy to understand an maintain. I
> can force authentication to this DC instead of choosing the DC
> "randomly".
>
>
> So, do you see better solution than RODC ?
Yes, do not do it ;-)
You say that you are going to put a fileserver into the DMZ as well and
your users will log into this. This means that the RODC will have to
ask a DC to authenticate the users, this means punching holes in the
firewall between your DMZ and internal network, any extra holes in a
firewall are a security risk.
Also by putting the fileserver in the DMZ, you are placing there,
something that will very very probably cache usernames and passwords.
It is your network and you may get to pick up the pieces if it all goes
wrong.
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
www.it-optics.com
Gaëtan SLONGO | Head of Infrastructure Department
Boulevard Initialis, 28 - 7000 Mons, BELGIUM
Company : +32 (0)65 84 23 85
Direct : +32 (0)65 32 85 88
Fax : +32 (0)65 84 66 76
Skype ID : gslongo.pro
GPG Key : gslongo-gpg_key.asc
- Please consider your environmental responsibility before printing this e-mail -
More information about the samba
mailing list