PDC/ADS domain member hybrid?

Matthew McCowan Matthew.McCowan at ripple-systems.com
Wed Jul 21 03:52:13 GMT 2004

What I would like to do is authenticate users through an NT _trust_
relationship, to a Samba domain controller, that at its back end is a member
of an ADS controlled domain.

The trust will be a one way thing: the existing NT domain will trust the
Samba controlled domain, nothing in the other direction as the samba PDC
will not supply any services (other than authentication, and the usual nmbd

The reason why I would like to attempt this is that I want to set up a
native ADS controlled domain - _no_ backward compatibility to support NT
style domains - and use Samba as a gateway, or proxy, so the legacy NT
controlled domain can indirectly trust the ADS user base.

1 picture = 1000 words:

     ADS                Samba              NT
   (native)               |
ads.domain.com      member|TRUSTME      TRUSTYOU
                          |     trust-->
   /-----\             /--|--\           /-----\
   |     |-------------|  |  |-----------|     |
   \-----/         eth0\--|--/eth1       \-----/

I believe that the ADS could be referred to as an LDAP passwd backend, but
doesn't that require extending the ADS schema? This is where my in-depth
knowledge falls over - do the schema extensions mean that there will be two
passwords stored per user? One for native ADS and one for the Samba
extensions ala the Novell eDir scenario so that a password sync process
becomes necessary?

If this sort of hybrid functionality is not a feature then I will go down
the ADS-as-an-LDAP-backend path, but if it is as simple as setting "passwd
backend = ads/winbind"?????


Matt McCowan
Digital Janitor

More information about the samba-technical mailing list