Here's what I'm trying to do:
I'd like to move my mail server outside of my LAN into the cloud for various reasons. The mailserver will be a linux machine, but our network is windows based, so users are authenticating against Active Directory. Each authenticated user gets a mailbox, pretty standard.
Now - I can use samba/winbind/krb5 to join a Linux mailserver to the AD domain very easily and happily have users authenticate to this machine using their domain credentials to retreive mail. What I'd like to do as part of this migration has not proved to be so simple. Even though the server is leaving the confines of the local network, I'd still like users to log in using their domain credentials (via kerberos) as before.
My question is a bit open ended... I've done a bit of reading which suggests kerberos is fairly sturdy and safe to use over the internet security-wise and so I've continued with the assumption that with the correct firewall setup it should be possible and not a huge security headache, I'm just not sure of the correct way to go about persuading my Windows domain controller to authenticate a user logging into a machine which lives on a separate network (calling in over the internet). My niaive assumption was you open up port 88, synchronise your clocks, and you can join the domain just as you normally would from within the LAN, however having gone through the normal steps (something I've done a few times with little trouble) I'm thinking I need to tell AD that it's okay to accept kerberos requests from this external source, or that there are more ports required than just the kerberos port (88).
Does anyone have any experience doing anything like this, or is it a fools errand?
One final note: a VPN is unfortunately not an option in this case, nor is a windows operating system for the remote computer.