Nico Kadel-Garcia
2012-Jun-30 17:14 UTC
[Samba] DMZ Kerberos authentication, is Samba needed or helpful?
I'm dealing with an environment with AD servers in a normal working environment, all working and happy. I'm using bare Kerberos authentication for my Linux hosts to authenticate local accounts against the AD server, all well and good, I've not needed to integrate LDAP support and don't want to. But there are DMZ VLAN's with hosts exposed directly to the Internet. I'd like to allow those hosts similar authentication, and do *NOT* want to slap an AD server into the DMZ, for more security reasons than I can count. What I'd love to do is to set up either a Samba server, slaved to the master AD servers, to handle authentication and *not* allow propagating any changes to AD servers, basically a pure slave server. This way, I can do it on a far more secure Linux system than most AD servers could ever hope to be and protect it from the DMZ hosts or accidental external exposure. Or, if I can do it, just set up a pure Kerberos slave. Again, I can secure that a lot more than I can hope to secure an AD server. And I'd love to have that *only* handle authentication, not allow password changing or queries against the Kerberos. Will I need or benefit from Samba for this? Or has someone here done the simple Kerberos slave setup and can point me to some notes? [ In case it's not clear, I wrote some of the early Samba ports to SunOS, so I know the basic capabilities and architecture. ]
Andrew Bartlett
2012-Jul-02 07:53 UTC
[Samba] DMZ Kerberos authentication, is Samba needed or helpful?
On Sat, 2012-06-30 at 13:14 -0400, Nico Kadel-Garcia wrote:> I'm dealing with an environment with AD servers in a normal working > environment, all working and happy. I'm using bare Kerberos > authentication for my Linux hosts to authenticate local accounts > against the AD server, all well and good, I've not needed to integrate > LDAP support and don't want to. > > But there are DMZ VLAN's with hosts exposed directly to the Internet. > I'd like to allow those hosts similar authentication, and do *NOT* > want to slap an AD server into the DMZ, for more security reasons than > I can count. What I'd love to do is to set up either a Samba server, > slaved to the master AD servers, to handle authentication and *not* > allow propagating any changes to AD servers, basically a pure slave > server. This way, I can do it on a far more secure Linux system than > most AD servers could ever hope to be and protect it from the DMZ > hosts or accidental external exposure. > > Or, if I can do it, just set up a pure Kerberos slave. Again, I can > secure that a lot more than I can hope to secure an AD server. And I'd > love to have that *only* handle authentication, not allow password > changing or queries against the Kerberos. > > Will I need or benefit from Samba for this? Or has someone here done > the simple Kerberos slave setup and can point me to some notes? > > [ In case it's not clear, I wrote some of the early Samba ports to > SunOS, so I know the basic capabilities and architecture. ]Samba 4.0 as an AD RODC would seem to fit the bill here. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org