Re: [Samba] design question for small environment
- Date: Mon, 10 Sep 2018 12:57:17 +0200
- From: "Stefan G. Weichinger via samba" <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] design question for small environment
Am 10.09.18 um 10:06 schrieb Oliver Rath via samba:
For this, you could take roaming profiles for offline use. Here the
files were copied to the local machine cache and used, if no (or only a
slow) network connection is available. Alternativly, you could use a
"RODC" (Read only Domain Controller, a mirror of the AD) locally in the
another office. As a third solution, you could use the RODC only for
authorization, not for file server services, but normally a slow
connection in the desert should be sufficient for authorization purposes.
I am not sure if I understand completely or if I described the
The department uses Thin Clients to access (a) the company
networks/servers and (b) its own protected LAN (behind a firewall run by
me) with some specific servers and VMs.
So the thinclients are primarily domain members in the domain
"BigFatCompany" and would have to be members in the domain
"ProtectedServers" as well.
I think that second ADS complicates everything, at least in relation to
the rather small benefits.
We don't want to set up any trust between two domains or so. We don't
trust that bigger environment ;-)
The users there wrote themselves a batch-script that connects their
network shares, it contains cleartext passwords ... bad
Yes, really bad!
Now they had a security audit and we should get rid of that batch
As mentioned in my other reply, a first thought is to simply edit the
batchfiles and remove the password -> enter at run time.
I consider setting up an ADC for that one server overkill. And I
wonder where they would keep their passwords then, it wouldn't change
A small explanation for this question: If a Windows-machine is
authorized on an AD, you can configure the network-fileserver without
passwords. With the login password, the clients will get a so called
"granting ticket" from the AD, which can be used to mount a network
directory to the machines without additional password entries, all
Sounds good, but sounds like we would have to trust the bigger AD.
We want to keep all the upstream IT out of our boxes (but on the other
hand have to comply to the overall security standards).
To unsubscribe from this list go to the following URL and read the