On Fri, 15 Sep 2017 10:38:27 +0200
Robert Leuter via samba <samba at lists.samba.org> wrote:
> Greetings to all,
>
> I've got a quick question regarding the RODC functionality. We have a
> web application in the DMZ, which has to use the user authentication
> from our domain. So we want to use the LDAP backend to talk to the
> domain and check the credentials. The problem we are running into
> right now is that the webserver can not talk into the LAN and make
> requests via LDAP. So we searched for a solution and found the ROCD.
> The idea is, that the ROCD is located in the DMZ. The ROCD then gets
> replicated in only one way (First question: is that even possible to
> talk in one way?), so we can ask the ROCD via LDAP for the
> authentication.
>
> MAIN DC (LAN) ---> ROCD (DMZ) (Only connections from inside to
> outside)
>
> Web App (DMZ) --> ROCD (DMZ)
>
> How would you solve this problem, that we need domain user accounts
> in the "evil" internet? Of course, it would be a major security
flaw
> if we opened the DMZ ports to the LAN. So keep that in mind please.
>
> We would be very pleased for an answer.
>
> Greetings from Germany,
>
> Robert Leuter
>
>
>
>
I would suggest you go and read this:
https://www.linkedin.com/pulse/active-directory-dmz-nuts-marcus-rivera
If you do decide to try putting a Samba RODC in the DMZ, you should be
aware they DO NOT work yet, this will change when 4.7.0 comes out (end
of month hopefully)
Rowland