Web lists-archives.com

Re: [Samba] Read Only DC in one way only




On Fri, 15 Sep 2017 10:38:27 +0200
Robert Leuter via samba <samba@xxxxxxxxxxxxxxx> wrote:

> Greetings to all,
> 
> I've got a quick question regarding the RODC functionality. We have a
> web application in the DMZ, which has to use the user authentication
> from our domain. So we want to use the LDAP backend to talk to the
> domain and check the credentials. The problem we are running into
> right now is that the webserver can not talk into the LAN and make
> requests via LDAP. So we searched for a solution and found the ROCD.
> The idea is, that the ROCD is located in the DMZ. The ROCD then gets
> replicated in only one way (First question: is that even possible to
> talk in one way?), so we can ask the ROCD via LDAP for the
> authentication.
> 
> MAIN DC (LAN) ---> ROCD (DMZ) (Only connections from inside to
> outside)
> 
> Web App (DMZ) --> ROCD (DMZ)
> 
> How would you solve this problem, that we need domain user accounts
> in the "evil" internet? Of course, it would be a major security flaw
> if we opened the DMZ ports to the LAN. So keep that in mind please.
> 
> We would be very pleased for an answer.
> 
> Greetings from Germany,
> 
> Robert Leuter
> 
> 
> 
> 

I would suggest you go and read this:

https://www.linkedin.com/pulse/active-directory-dmz-nuts-marcus-rivera

If you do decide to try putting a Samba RODC in the DMZ, you should be
aware they DO NOT work yet, this will change when 4.7.0 comes out (end
of month hopefully)

Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba