On Wed, Aug 28, 2013 at 1:39 PM, natxo asenjo <natxo.asenjo at gmail.com> wrote: > >> This is a very tiny subset (mostly) of a corporate network where the >> larger things are handled by active directory. But, for various >> non-technical reasons I don't want these machines to have to 'join' >> AD. Kerberos will sort-of work without joining, but doesn't seem >> usable for exporting samba shares - and then anyone added locally >> wouldn't work without the uid matching anyway. Is there a way to set >> up an LDAP server with a few local users but that mostly does a proxy >> to AD? And if I did, would users be able to map their home >> directories as samba shares with the authentication it provides >> without joining AD? > > you could install the IdM solution and create a cross realm trust > between both domains. Not trivial, but would do what you want to > accomplish. > > https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/ > > You would need cooperation from your AD admins though. That might be a > problem in some environments. > > It is quite a big project, though. The AD admins are in a different group in a different location and involving them adds a lot of complexity. A short script to 'usermod -u nnn' everyone into the same uids across hosts sounds better all the time. However, it would be nicer if there were some way to avoid having to manage yet another password for each user for samba, although with central home directories that would only need to be on one of the systems. -- Les Mikesell lesmikesell at gmail.com