Is it possible to provide access to a domain resource to a non-domain user?
Solution 1
You can grant access to a domain resource (i.e share) to a non-domain machine... provided the service on that machine accesses the share using as remote credentials either :
- domain user credentials OR
- a local user's (on the domain machine) credentials
The second one is the safest way to do it (a remote attacker sitting on the app tier machine won't have access to a domain account (with access to the entire domain) but only to the domain machines it has a local account on.
BUT you won't be able to simply set such a user to run the app service under. You must have some support in your application to specify different credentials according to which server it is connecting to.
So if this is supported => say your app tier machine APPTIER is in the MSHOME workgroup and your shares are \\SERVER1\share1 and \\SERVER2\share2 in the MYDOMAIN domain :
- Create a local account apptieracct on SERVER1 with access to share1
- Create a local account apptieracct on SERVER2 with access to share2
- On APPTIER, configure the application to use SERVER1\aptieracct to access \\SERVER1\share1 and SERVER2\aptieracct to access \\SERVER2\share2
Solution 2
Someone has a similar question answered here
How can an unauthenticated user access a windows share?
The following is a cut/paste of the answer given
To do what you want you'll have to enable the "Guest" account on the computer hosting the files and then grant the "Everyone" group whatever access you want.
"Guest" is a user account, but its enabled / disabled status is interpreted by the operating system as a boolean "Allow unauthenticated users to connect?" Permissions still control the access to files, but you open things up a LOT by enabling Guest.
Don't do this on a domain controller computer, BTW, because you'll be Guest on all DCs...
stephan
Updated on September 18, 2022Comments
-
stephan over 1 year
I'm confused about how to pull in related information from two different tables. If I go to localhost:8000/user/username, it should display the users profile and user reviews below. because the username is being passed through the URL into the views function. Is that correct?
Also, is it required that I use foreign key to accomplish this? I've read the docs and I'm still not completely sure how a foreign key would help me accomplish my goal here.
Models
from django.db import models class User(models.Model): name = models.CharField(max_length=20) reviewer = models.CharField(max_length=20) password = models.TextField() zipcode = models.Charfield(max_length=100) email = models.EmailField() def __str__(self): # __unicode__ on Python 2 return self.name class UserReview(models.Model): name = models.ForeignKey(User) author = models.CharField(max_length=50) pub_date = models.DateField() stars = models.IntegerField(max_length=5) comment = models.CharField(max_length=100) def __str__(self): # __unicode__ on Python 2 return self.nameViews
from django.shortcuts import render def index(request): profile_info = User.objects.filter(name=username) context = {‘profile_info’: profile_info} latest_reviews = UserReview.objects.filter(name=username).order_by('-pub_date')[:5] context = {‘profile_info’: profile_info, 'latest_reviews': latest_reviews} return render(request, 'randomtemplate.html', context)URLS
urlpatterns = patterns('', url(r'^user/(?P<username>\w+)/', 'index'), ) -
Chris about 13 yearsThanks for the answer Phil but that's not an option - the computers hosting the files need pretty severe access control too. I was hoping there was a way of doing it by SID or some devious magic I didn't know about!
-
Chris about 13 yearsI agree this is is probably the best way but my app services don't support impersonation at present. I think I'm going to resort to separating the database off instead and leaving the app server in the domain. Thanks for the help!
