PDC/ADS domain member hybrid?
Matthew.McCowan at ripple-systems.com
Wed Jul 21 03:52:13 GMT 2004
What I would like to do is authenticate users through an NT _trust_
relationship, to a Samba domain controller, that at its back end is a member
of an ADS controlled domain.
The trust will be a one way thing: the existing NT domain will trust the
Samba controlled domain, nothing in the other direction as the samba PDC
will not supply any services (other than authentication, and the usual nmbd
The reason why I would like to attempt this is that I want to set up a
native ADS controlled domain - _no_ backward compatibility to support NT
style domains - and use Samba as a gateway, or proxy, so the legacy NT
controlled domain can indirectly trust the ADS user base.
1 picture = 1000 words:
ADS Samba NT
ads.domain.com member|TRUSTME TRUSTYOU
/-----\ /--|--\ /-----\
| |-------------| | |-----------| |
\-----/ eth0\--|--/eth1 \-----/
I believe that the ADS could be referred to as an LDAP passwd backend, but
doesn't that require extending the ADS schema? This is where my in-depth
knowledge falls over - do the schema extensions mean that there will be two
passwords stored per user? One for native ADS and one for the Samba
extensions ala the Novell eDir scenario so that a password sync process
If this sort of hybrid functionality is not a feature then I will go down
the ADS-as-an-LDAP-backend path, but if it is as simple as setting "passwd
backend = ads/winbind"?????
More information about the samba-technical