[Samba] design question for small environment

Oliver Rath rath at mglug.de
Mon Sep 10 08:06:25 UTC 2018

Hi Stefan!

On 10.09.2018 08:35, Stefan G. Weichinger via samba wrote:
> Greetings samba-users
> another "design issue" here
> I run 2 servers in a very closed environment, basically it is only one
> fileserver, the 2nd does snapshots and backups etc
> That server is configured as standalone and knows only ~6 local users.
> No ADS, no domain membership.

AD sounds also senseful for this.

> Think of a separated department in a company which has to be as
> disconnected from the company's IT as possible.

For this, you could take roaming profiles for offline use. Here the
files were copied to the local machine cache and used, if no (or only a
slow) network connection is available. Alternativly, you could use a
"RODC" (Read only Domain Controller, a mirror of the AD) locally in the
another office. As a third solution, you could use the RODC only for
authorization, not for file server services, but normally a slow
connection in the desert should be sufficient for authorization purposes.

> The users there wrote themselves a batch-script that connects their
> network shares, it contains cleartext passwords ... bad
Yes, really bad!
> Now they had a security audit and we should get rid of that batch
> file, sure.
Good decision.

> I consider setting up an ADC for that one server overkill. And I
> wonder where they would keep their passwords then, it wouldn't change
> that.

A small explanation for this question: If a Windows-machine is
authorized on an AD, you can configure the network-fileserver without
passwords. With the login password, the clients will get a so called
"granting ticket" from the AD, which can be used to mount a network
directory to the machines without additional password entries, all
secure encoded.

> And connecting to the company's AD isn't wanted because that would
> allow the "upstream IT" access to the protected server.

This isnt really clear to me. What exactly is the apprehension?

> How do other admins solve that?
> I'd appreciate any clever suggestions or examples.


More information about the samba mailing list