On Sat, 2012-06-30 at 13:14 -0400, Nico Kadel-Garcia wrote: > I'm dealing with an environment with AD servers in a normal working > environment, all working and happy. I'm using bare Kerberos > authentication for my Linux hosts to authenticate local accounts > against the AD server, all well and good, I've not needed to integrate > LDAP support and don't want to. > > But there are DMZ VLAN's with hosts exposed directly to the Internet. > I'd like to allow those hosts similar authentication, and do *NOT* > want to slap an AD server into the DMZ, for more security reasons than > I can count. What I'd love to do is to set up either a Samba server, > slaved to the master AD servers, to handle authentication and *not* > allow propagating any changes to AD servers, basically a pure slave > server. This way, I can do it on a far more secure Linux system than > most AD servers could ever hope to be and protect it from the DMZ > hosts or accidental external exposure. > > Or, if I can do it, just set up a pure Kerberos slave. Again, I can > secure that a lot more than I can hope to secure an AD server. And I'd > love to have that *only* handle authentication, not allow password > changing or queries against the Kerberos. > > Will I need or benefit from Samba for this? Or has someone here done > the simple Kerberos slave setup and can point me to some notes? > > [ In case it's not clear, I wrote some of the early Samba ports to > SunOS, so I know the basic capabilities and architecture. ]
Samba 4.0 as an AD RODC would seem to fit the bill here. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
