[Samba] design question for small environment

Rowland Penny rpenny at samba.org
Mon Sep 10 11:13:45 UTC 2018

On Mon, 10 Sep 2018 12:57:17 +0200
"Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote:

> Am 10.09.18 um 10:06 schrieb Oliver Rath via samba:
> > For this, you could take roaming profiles for offline use. Here the
> > files were copied to the local machine cache and used, if no (or
> > only a slow) network connection is available. Alternativly, you
> > could use a "RODC" (Read only Domain Controller, a mirror of the
> > AD) locally in the another office. As a third solution, you could
> > use the RODC only for authorization, not for file server services,
> > but normally a slow connection in the desert should be sufficient
> > for authorization purposes.
> I am not sure if I understand completely or if I described the 
> requirements accordingly.
> The department uses Thin Clients to access (a) the company 
> networks/servers and (b) its own protected LAN (behind a firewall run
> by me) with some specific servers and VMs.
> So the thinclients are primarily domain members in the domain 
> "BigFatCompany" and would have to be members in the domain 
> "ProtectedServers" as well.

That does change things, it sounded like you were running a small
workgroup, not an adjunct to a domain.

If you don't want passwords stored anywhere, or floating about the lan,
then you need to join the two standalone servers to the domain,
probably one as a DC or RODC and then only allow access to the
shares from the thinclients via ACLs.


More information about the samba mailing list