Am 10.09.18 um 10:06 schrieb Oliver Rath via samba:> For this, you could take roaming profiles for offline use. Here the > files were copied to the local machine cache and used, if no (or only a > slow) network connection is available. Alternativly, you could use a > "RODC" (Read only Domain Controller, a mirror of the AD) locally in the > another office. As a third solution, you could use the RODC only for > authorization, not for file server services, but normally a slow > connection in the desert should be sufficient for authorization purposes.I am not sure if I understand completely or if I described the requirements accordingly. The department uses Thin Clients to access (a) the company networks/servers and (b) its own protected LAN (behind a firewall run by me) with some specific servers and VMs. So the thinclients are primarily domain members in the domain "BigFatCompany" and would have to be members in the domain "ProtectedServers" as well. I think that second ADS complicates everything, at least in relation to the rather small benefits. We don't want to set up any trust between two domains or so. We don't trust that bigger environment ;-)>> The users there wrote themselves a batch-script that connects their >> network shares, it contains cleartext passwords ... bad > Yes, really bad! >> >> Now they had a security audit and we should get rid of that batch >> file, sure. > Good decision.As mentioned in my other reply, a first thought is to simply edit the batchfiles and remove the password -> enter at run time.>> I consider setting up an ADC for that one server overkill. And I >> wonder where they would keep their passwords then, it wouldn't change >> that. > > A small explanation for this question: If a Windows-machine is > authorized on an AD, you can configure the network-fileserver without > passwords. With the login password, the clients will get a so called > "granting ticket" from the AD, which can be used to mount a network > directory to the machines without additional password entries, all > secure encoded.Sounds good, but sounds like we would have to trust the bigger AD. We want to keep all the upstream IT out of our boxes (but on the other hand have to comply to the overall security standards).
On Mon, 10 Sep 2018 12:57:17 +0200 "Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote:> Am 10.09.18 um 10:06 schrieb Oliver Rath via samba: > > > For this, you could take roaming profiles for offline use. Here the > > files were copied to the local machine cache and used, if no (or > > only a slow) network connection is available. Alternativly, you > > could use a "RODC" (Read only Domain Controller, a mirror of the > > AD) locally in the another office. As a third solution, you could > > use the RODC only for authorization, not for file server services, > > but normally a slow connection in the desert should be sufficient > > for authorization purposes. > > I am not sure if I understand completely or if I described the > requirements accordingly. > > The department uses Thin Clients to access (a) the company > networks/servers and (b) its own protected LAN (behind a firewall run > by me) with some specific servers and VMs. > > So the thinclients are primarily domain members in the domain > "BigFatCompany" and would have to be members in the domain > "ProtectedServers" as well. >That does change things, it sounded like you were running a small workgroup, not an adjunct to a domain. If you don't want passwords stored anywhere, or floating about the lan, then you need to join the two standalone servers to the domain, probably one as a DC or RODC and then only allow access to the shares from the thinclients via ACLs. Rowland
Am 10.09.18 um 13:13 schrieb Rowland Penny via samba:> On Mon, 10 Sep 2018 12:57:17 +0200 > "Stefan G. Weichinger via samba" <samba at lists.samba.org> wrote: >> So the thinclients are primarily domain members in the domain >> "BigFatCompany" and would have to be members in the domain >> "ProtectedServers" as well. >> > > That does change things, it sounded like you were running a small > workgroup, not an adjunct to a domain. > > If you don't want passwords stored anywhere, or floating about the lan, > then you need to join the two standalone servers to the domain, > probably one as a DC or RODC and then only allow access to the > shares from the thinclients via ACLs.We now discuss this: set up a new ADS-domain based on samba-4 (at first in a VM running on one of the 2 servers) and set up some trust relationship. Our new small domain trusts the domain "BigFatCompany" and we limit access to the shares via smb.conf etc Might be more comfortable and integrated ... I will read more on these trusted domain stuff.
Possibly Parallel Threads
- design question for small environment
- design question for small environment
- design question for small environment
- Is RODC password replication different from the windows version by design or is it a bug?
- Is RODC password replication different from the windows version by design or is it a bug?