[Samba] Samba AD-DC in the cloud

Sven Schwedas sven.schwedas at tao.at
Mon Jan 27 16:34:00 UTC 2020

On 27.01.20 17:02, Stephen Atkins via samba wrote:
> I got some spam the other day advertising AWS hosting a Windows AD
> controller.  Got me thinking that there are cheaper routes to do this.
> There are a lot of hosting services where one could put a Samba AD-DC on a
> server in the "cloud".  I probably wouldn't do this as it could become a
> security nightmare.  What are others thoughts?
> Sorry if this doesn't belong here.  Just thought the expertise in this
> group would be a good place to start.

From a purely technical point of view it works just fine; we're running
all our Samba infrastructure as containers e.g.. While it's not quite
amenable to fully automated deployments (joining machines without
leaving domain admin credentials all over the place e.g.), we need few
enough Samba instances that it's easier to hand-tune them as part of the
overall container architecture than running a separate for them.

The question is, does it make sense for your workloads?

• If you're running a lot of AD-authenticated services in whatever cloud
you're using, it's probably a good idea to manage AD as part of it. Not
sure if AWS Directory Services is cheaper than running Samba ADDC on an
equally fast AWS instance, that'd need benchmarking. AWSDS is *probably*
cheaper at scale, but no idea where the break even point is, given that
you have variable costs for stuff like "maintenance overhead"; Amazon
(hopefully) does that for you with AWSDS.

• If you're using AD to authenticate end user devices, it's probably
more effort to establish a secure connection between AWSDS or your own
cloud Samba AD and their machines than it would be to run a local DC on
an entry-level server.
(Microsoft Azure AD "solves" this by not being AD at all and just being
SAML/OAuth/OID with AD federation as optional feature, and limited
client compatibility outside current MS products and webshit.)

That's all assuming your cloud vendor is as trustworthy a regular data
center. YMMV if that's true for you.

Mit freundlichen Grüßen, / Best Regards,
Sven Schwedas, Systemadministrator
✉ sven.schwedas at tao.at | ☎ +43 680 301 7167
TAO Digital   | Teil der TAO Beratungs- & Management GmbH
Lendplatz 45  | FN 213999f/Klagenfurt, FB-Gericht Villach
A8020 Graz    | https://www.tao-digital.at

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba/attachments/20200127/7734f05f/signature.sig>

More information about the samba mailing list