design for storing trusted domain passwords in ldap

Michael Adam ma at
Thu Jan 18 09:25:41 GMT 2007


On Wed, Jan 17, 2007 at 12:01:22PM -0600, Gerald (Jerry) Carter wrote:
> > Furthermore, it might be useful to have the own domain name as 
> > an attribute in addition to the trusted domain name, thus 
> > facilitating searches. 
> > 
> > This would result in the following addition to the samba schema:
> > 
> > attributetype ( NAME 'sambaTrustedDomainName'
> >         DESC 'Windows NT domain which the own domain trusts'
> >         EQUALITY caseIgnoreMatch
> >         SYNTAX{128} )
> I don't see the justification for this.  Our domain name is always one
> end and so we just need to remember the other.  If this object
> is stored beneath the sambaDomainName object in the DIT then a DC
> in that domain should be able to assume that it owns that trust.

That is exactly the point I also discussed with Volker. Of course
it is not necessary, and it is also redundant (storing the
trustPw beneath the domain). I also questioned the necessity, but
Volker voted for storing our domain name additionally for optimization 
and convenience reasons (indexing etc). So who has got the decicive 
vote here? ;-)

> If the password is mandatory then the sambaPwdLastSet should
> be also IMO.

Ok, that seems perfectly reasonable to me.
Cheers - Michael

Michael Adam,  SerNet Service Network GmbH
phone: +49-551-370000-0,  fax: +49-551-370000-9

More information about the samba-technical mailing list