On Wed, Aug 28, 2013 at 1:39 PM, natxo asenjo natxo.asenjo@gmail.com wrote:
This is a very tiny subset (mostly) of a corporate network where the larger things are handled by active directory. But, for various non-technical reasons I don't want these machines to have to 'join' AD. Kerberos will sort-of work without joining, but doesn't seem usable for exporting samba shares - and then anyone added locally wouldn't work without the uid matching anyway. Is there a way to set up an LDAP server with a few local users but that mostly does a proxy to AD? And if I did, would users be able to map their home directories as samba shares with the authentication it provides without joining AD?
you could install the IdM solution and create a cross realm trust between both domains. Not trivial, but would do what you want to accomplish.
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/...
You would need cooperation from your AD admins though. That might be a problem in some environments.
It is quite a big project, though.
The AD admins are in a different group in a different location and involving them adds a lot of complexity. A short script to 'usermod -u nnn' everyone into the same uids across hosts sounds better all the time. However, it would be nicer if there were some way to avoid having to manage yet another password for each user for samba, although with central home directories that would only need to be on one of the systems.