samba - Jun 2018 - Samba 4.8 RODC not working

On Wed, 13 Jun 2018 12:28:23 +0200 (CEST)
Gaetan SLONGO <gslongo at it-optics.com> wrote:
> Hi Rowland, 
> 
> 
> I have no homes share. As far as I know I should not have that share
> on a DC ..?
Then don't worry about it, I was just checking if you had one.
> 
> 
> Regarding the security consideration for a DMZ zone, what do you
> suggest instead of putting a RODC in it ? 
The real question is, why do you want to put your AD into a DMZ ?
I suggest you read this:

https://www.linkedin.com/pulse/active-directory-dmz-nuts-marcus-rivera
> 
> Note : Yes I can ping DC, there is no routing / firewalling issue
> (validated). 
Then I fall back to, you need more help than this list can provide,
contact Sernet or Tranquil IT or anybody who knows Linux and Samba and
can spend time (and your money) on this problem. 

Rowland

Hi Rowaland, 


I read the doc. 
The reason is the usual one. We need authentication inside the DMZ zone and do
not want any modification from this zone. We also need a fileserver into this
zone where corporate users can log-in. We are asked to keep the solution simple,
easy to understand an maintain. I can force authentication to this DC instead of
choosing the DC "randomly".


So, do you see better solution than RODC ? 


Thanks ! 

----- Mail original -----

De: "Rowland Penny via samba" <samba at lists.samba.org> 
À: samba at lists.samba.org 
Envoyé: Mercredi 13 Juin 2018 13:18:15 
Objet : Re: [Samba] Samba 4.8 RODC not working 

On Wed, 13 Jun 2018 12:28:23 +0200 (CEST) 
Gaetan SLONGO <gslongo at it-optics.com> wrote: 
> Hi Rowland, 
> 
> 
> I have no homes share. As far as I know I should not have that share 
> on a DC ..? 
Then don't worry about it, I was just checking if you had one. 
> 
> 
> Regarding the security consideration for a DMZ zone, what do you 
> suggest instead of putting a RODC in it ? 
The real question is, why do you want to put your AD into a DMZ ? 
I suggest you read this: 

https://www.linkedin.com/pulse/active-directory-dmz-nuts-marcus-rivera 
> 
> Note : Yes I can ping DC, there is no routing / firewalling issue 
> (validated). 
Then I fall back to, you need more help than this list can provide, 
contact Sernet or Tranquil IT or anybody who knows Linux and Samba and 
can spend time (and your money) on this problem. 

Rowland 

-- 
To unsubscribe from this list go to the following URL and read the 
instructions: https://lists.samba.org/mailman/options/samba 



-- 




www.it-optics.com 
	
Gaëtan SLONGO | Head of Infrastructure Department 
Boulevard Initialis, 28 - 7000 Mons, BELGIUM 
Company : 	+32 (0)65 84 23 85 
Direct : 	+32 (0)65 32 85 88 
Fax : 	+32 (0)65 84 66 76 
Skype ID : 	gslongo.pro 
GPG Key : 	gslongo-gpg_key.asc 
	

- Please consider your environmental responsibility before printing this e-mail
-

On Thu, 14 Jun 2018 10:23:56 +0200 (CEST)
Gaetan SLONGO <gslongo at it-optics.com> wrote:
> Hi Rowaland, 
> 
> 
> I read the doc. 
> The reason is the usual one. We need authentication inside the DMZ
> zone and do not want any modification from this zone. We also need a
> fileserver into this zone where corporate users can log-in. We are
> asked to keep the solution simple, easy to understand an maintain. I
> can force authentication to this DC instead of choosing the DC
> "randomly". 
> 
> 
> So, do you see better solution than RODC ? 
Yes, do not do it ;-)

You say that you are going to put a fileserver into the DMZ as well and
your users will log into this. This means that the RODC will have to
ask a DC to authenticate the users, this means punching holes in the
firewall between your DMZ and internal network, any extra holes in a
firewall are a security risk.
Also by putting the fileserver in the DMZ, you are placing there,
something that will very very probably cache usernames and passwords.

It is your network and you may get to pick up the pieces if it all goes
wrong.

Rowland