[Samba] design question for small environment

Stefan G. Weichinger lists at xunil.at
Mon Sep 10 10:57:17 UTC 2018

Am 10.09.18 um 10:06 schrieb Oliver Rath via samba:

> For this, you could take roaming profiles for offline use. Here the
> files were copied to the local machine cache and used, if no (or only a
> slow) network connection is available. Alternativly, you could use a
> "RODC" (Read only Domain Controller, a mirror of the AD) locally in the
> another office. As a third solution, you could use the RODC only for
> authorization, not for file server services, but normally a slow
> connection in the desert should be sufficient for authorization purposes.

I am not sure if I understand completely or if I described the 
requirements accordingly.

The department uses Thin Clients to access (a) the company 
networks/servers and (b) its own protected LAN (behind a firewall run by 
me) with some specific servers and VMs.

So the thinclients are primarily domain members in the domain 
"BigFatCompany" and would have to be members in the domain 
"ProtectedServers" as well.

I think that second ADS complicates everything, at least in relation to 
the rather small benefits.

We don't want to set up any trust between two domains or so. We don't 
trust that bigger environment ;-)

>> The users there wrote themselves a batch-script that connects their
>> network shares, it contains cleartext passwords ... bad
> Yes, really bad!
>> Now they had a security audit and we should get rid of that batch
>> file, sure.
> Good decision.

As mentioned in my other reply, a first thought is to simply edit the 
batchfiles and remove the password -> enter at run time.

>> I consider setting up an ADC for that one server overkill. And I
>> wonder where they would keep their passwords then, it wouldn't change
>> that.
> A small explanation for this question: If a Windows-machine is
> authorized on an AD, you can configure the network-fileserver without
> passwords. With the login password, the clients will get a so called
> "granting ticket" from the AD, which can be used to mount a network
> directory to the machines without additional password entries, all
> secure encoded.

Sounds good, but sounds like we would have to trust the bigger AD.

We want to keep all the upstream IT out of our boxes (but on the other 
hand have to comply to the overall security standards).

More information about the samba mailing list