I am not sure if this is the right place to ask, but here goes.
The Uni I work at runs their corporate MS AD. I work in the School
of Computing, and we've set up our own AD (Samba4), and have it tailored
to suite our needs. We manage our own accounts separately from the
corporate accounts. However, our dean wants "single-sign on". From his
point of view, that is same usernames and passowrds. From our point of
view same usernames and passwords is fine, however, we need to have the
AD working the way we use it too. Using the corporate AD won't give us
that, and will break almost everything we do.
So here is the question:
Is there a way we can get our AD to Ask their AD to authenticate a
user, but still use our AD's users' set up? eg: unix attributes, groups,
group policies etc.
We've briefly looked at trusts but are not sure it will do what we
want. None of us are AD people, so we are a bit stuck.
Any hints, ideas, or solutions appreciated
I guess it boils down to: How would a large corporation have one
source of username/passwords, and multiple separate areas where their
users's attributes, policies, group membership etc are managed separately?