design for storing trusted domain passwords in ldap

Andrew Bartlett abartlet at
Thu Jan 18 22:11:15 GMT 2007

On Thu, 2007-01-18 at 22:52 +0100, Michael Adam wrote:
> On Thu, Jan 18, 2007, Gerald (Jerry) Carter wrote:
> > Volker Lendecke wrote:
> > > On Thu, Jan 18, 2007 at 07:15:57AM -0600, Gerald (Jerry) Carter wrote:
> > >> But you need the ldap suffix set correctly for other things.
> > >> My preference is to simply associate the trust information
> > >> with the parent DN (sambaDomainName container).
> > > 
> > > So no "ldap trust suffix"? Just
> > > "cn=trusteddomname,<sambadomaindn>"? I'm fine with that.
> > 
> > No.  let's not make it harder to set up a Samba/LDAP combination.
> Ok, then I drop the sambaTrustedDomainName attribute.
> Here is the updated patch to the schema file.

We should store the previous password, so we can bind to a DC in the
remote domain, that is a little slow on the uptake.  (Yes, we also need
logic to use the previous password, both in trusted domain and member
server code).  

Hmm, perhaps we add to the schema when we actually have code to change
trust passwords automatically, and use a fallback...

Andrew Bartlett
Andrew Bartlett                      
Authentication Developer, Samba Team 
Samba Developer, Red Hat Inc.        

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :

More information about the samba-technical mailing list