design for storing trusted domain passwords in ldap
Michael Adam
ma at sernet.de
Thu Jan 18 09:25:41 GMT 2007
Hi,
On Wed, Jan 17, 2007 at 12:01:22PM -0600, Gerald (Jerry) Carter wrote:
> > Furthermore, it might be useful to have the own domain name as
> > an attribute in addition to the trusted domain name, thus
> > facilitating searches.
> >
> > This would result in the following addition to the samba schema:
> >
> > attributetype ( 1.3.6.1.4.1.7165.2.1.68 NAME 'sambaTrustedDomainName'
> > DESC 'Windows NT domain which the own domain trusts'
> > EQUALITY caseIgnoreMatch
> > SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )
>
> I don't see the justification for this. Our domain name is always one
> end and so we just need to remember the other. If this object
> is stored beneath the sambaDomainName object in the DIT then a DC
> in that domain should be able to assume that it owns that trust.
That is exactly the point I also discussed with Volker. Of course
it is not necessary, and it is also redundant (storing the
trustPw beneath the domain). I also questioned the necessity, but
Volker voted for storing our domain name additionally for optimization
and convenience reasons (indexing etc). So who has got the decicive
vote here? ;-)
> If the password is mandatory then the sambaPwdLastSet should
> be also IMO.
Ok, that seems perfectly reasonable to me.
Cheers - Michael
--
Michael Adam, SerNet Service Network GmbH
phone: +49-551-370000-0, fax: +49-551-370000-9
More information about the samba-technical
mailing list