On Wed Mar 01, 01:54am +1300, Matiu Carr wrote: > What you describe resembles a user domain + multiple > resource domain NT/AD construction. > The local domains implement policy that "restricts" access > to subsets of the total pool. > If all the domains trust the same user domain, permissions > are straightforward, and interdomain trusts are not > required.
True, and that's obviously an option. However, there are three things I'm trying to accomplish: 1) This network is being built from scratch, and I'm trying to do things in such a way that everything won't need to be rebuilt entirely a year or two down the line. 2) We're a small but rapidly-growing group, and it won't be too long before we have one or more administratively separate domains. That means multiple authentication servers; I'm hoping there's a better way to do it in a Samba-exclusive environment than inter-domain trusts. 3) My users will be much happier if they see "EXEC\TheBoss" as and "DEVEL\LowLevelMonkey" as opposed to "EVERYBODY\TheBoss" and "EVERYBODY\LowLevelMonkey" -- Arguing with an engineer is like wrestling with a pig in mud. After a while, you realise the pig is enjoying it. OpenPGP v4 key ID: 4096R/59DDCB9F Fingerprint: CC53 F124 35C0 7BC2 58FE 7A3C 157D DFD9 59DD CB9F Retrieve from subkeys.pgp.net -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba