[Samba] Samba 4.8 RODC not working

Gaetan SLONGO gslongo at it-optics.com
Thu Jun 14 10:35:56 UTC 2018 

Hi, 


Ok I understand your point of view. So what do you advise ? Creating separated domain dedicated to DMZ ? 
I was thinking to manage security using strict firewall rules but yes, this is a hole.. 


Thanks 

----- Mail original -----

De: "Rowland Penny via samba" <samba at lists.samba.org> 
À: samba at lists.samba.org 
Envoyé: Jeudi 14 Juin 2018 12:23:13 
Objet : Re: [Samba] Samba 4.8 RODC not working 

On Thu, 14 Jun 2018 10:23:56 +0200 (CEST) 
Gaetan SLONGO <gslongo at it-optics.com> wrote: 

> Hi Rowaland, 
> 
> 
> I read the doc. 
> The reason is the usual one. We need authentication inside the DMZ 
> zone and do not want any modification from this zone. We also need a 
> fileserver into this zone where corporate users can log-in. We are 
> asked to keep the solution simple, easy to understand an maintain. I 
> can force authentication to this DC instead of choosing the DC 
> "randomly". 
> 
> 
> So, do you see better solution than RODC ? 

Yes, do not do it ;-) 

You say that you are going to put a fileserver into the DMZ as well and 
your users will log into this. This means that the RODC will have to 
ask a DC to authenticate the users, this means punching holes in the 
firewall between your DMZ and internal network, any extra holes in a 
firewall are a security risk. 
Also by putting the fileserver in the DMZ, you are placing there, 
something that will very very probably cache usernames and passwords. 

It is your network and you may get to pick up the pieces if it all goes 
wrong. 

Rowland 


-- 
To unsubscribe from this list go to the following URL and read the 
instructions: https://lists.samba.org/mailman/options/samba 



-- 




www.it-optics.com 
	
Gaëtan SLONGO | Head of Infrastructure Department 
Boulevard Initialis, 28 - 7000 Mons, BELGIUM 
Company : 	+32 (0)65 84 23 85 
Direct : 	+32 (0)65 32 85 88 
Fax : 	+32 (0)65 84 66 76 
Skype ID : 	gslongo.pro 
GPG Key : 	gslongo-gpg_key.asc 
	

- Please consider your environmental responsibility before printing this e-mail -

More information about the samba mailing list