design for storing trusted domain passwords in ldap
Gerald (Jerry) Carter
jerry at samba.org
Wed Jan 17 18:01:22 GMT 2007
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Michael Adam wrote:
> I would have the SID of the trusted domain as a mandatory
> attribute.
ACK.
> I don't see a use for sambaTrustFlags here.
ACK.
> Furthermore, it might be useful to have the own domain name as
> an attribute in addition to the trusted domain name, thus
> facilitating searches.
>
> This would result in the following addition to the samba schema:
>
> attributetype ( 1.3.6.1.4.1.7165.2.1.68 NAME 'sambaTrustedDomainName'
> DESC 'Windows NT domain which the own domain trusts'
> EQUALITY caseIgnoreMatch
> SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )
I don't see the justification for this. Our domain name is always one
end and so we just need to remember the other. If this object
is stored beneath the sambaDomainName object in the DIT then a DC
in that domain should be able to assume that it owns that trust.
>
> ##
> ## Trust password for trusted domains
> ##
> objectclass ( 1.3.6.1.4.1.7165.2.2.15 NAME 'sambaTrustedDomainPassword' SUP top STRUCTURAL
> DESC 'Samba Trusted Domain Password'
> MUST ( sambaDomainName $
> sambaTrustedDomainName $ sambaSID $
> sambaNTPassword )
> MAY ( sambaPwdLastSet ))
If the password is mandatory then the sambaPwdLastSet should
be also IMO.
cheers, jerry
=====================================================================
Samba ------- http://www.samba.org
Centeris ----------- http://www.centeris.com
"What man is a man who does not make the world better?" --Balian
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFFrmRyIR7qMdg1EfYRAjMOAJ9emIkUTo9RQAeKxWZptrpEqpaPrQCfeTCc
CKnVCBCWVmXqkZ8n1TBpVxI=
=354s
-----END PGP SIGNATURE-----
More information about the samba-technical
mailing list