This has been a fun topic of discussion on Server Fault. There appear to be varying "religious views" on the topic.
I agree with Microsoft's recommendation: Use a sub-domain of the company's already-registered Internet domain name.
So, if you own foo.com
, use ad.foo.com
or some such.
The most vile thing, as I see it, is using the registered Internet domain name, verbatim, for the Active Directory domain name. This causes you to be forced to manually copy records from the Internet DNS (like www
) into the Active Directory DNS zone to allow "external" names to resolve. I've seen utterly silly things like IIS installed on every DC in an organization running a web site that does a redirect such that someone entering foo.com
into their browser would be redirected to www.foo.com
by these IIS installations. Utter silliness!
Using the Internet domain name gains you no advantages, but creates "make work" every time you change the IP addresses that external host names refer to. (Try using geographically load-balanced DNS for the external hosts and integrating that with such a "split DNS" situation, too! Gee-- that would be fun...)
Using such a subdomain has no effect on things like Exchange email delivery or User Principal Name (UPN) suffixes, BTW. (I often see those both cited as excuses for using the Internet domain name as the AD domain name.)
I also see the excuse "lots of big companies do it". Large companies can make boneheaded decisions as easily (if not moreso) than small companies. I don't buy that just because a large company makes a bad decision that somehow causes it to be a good decision.
Samba has a username map config option that you can use to specify a list of remote usernames that will be transparently mapped to a different local user name.
The format for this in /etc/smb/samba.conf would be something like this:
[share]
...normal share optionsoptions
username map = /path/to/file
users = jane bob fred ... etc
And the contents of /path/to/file should be:
jane = jdoe
You can add more lines to this file, including quoted usernames with spaces, references to whole groups, etc. See documentation link above for more details.
My original answer is a bit of a hack, but for reference here's the deal on forced users. You can add a user to the samba password file using smbpasswd -a
without adding them as a unix system user. Then you can authenticate those users on the samba share. You do not have to add them to the unix system password list in order for this to work, but since their users don't exist they will not particularly be able to make use of the share because the unix privaledge system will keep them from writing etc. To fix this, there is a "force user" option that you can add to any share and all actions taken by any authenticated user on that share will be executed using that unix system user. So if you create a share for everybody, then create a duplicate share just for jdoe and add force user = jane
to that share, even when jdoe authenticates they will read/write files on the system using jane's unix user.
Best Answer
It may be a NetBIOS name of a domain trust. Check current trusts with the following command:
The output will report all trusted domains on a separate line. The output is formatted as follows, with the 0 being the line number:
The server's primary/native domain will be noted in the Other Attributes field as well.
Once you have the FQDN of the SCICENTER domain, then you can just try to resolve it through DNS and/or ping it.
Alternatively, you can also list all domain controllers that the computer knows of for a given domain name (NetBIOS or FQDN) using the following command:
Note: If you use the NetBIOS name, then you may only get the PDC for a trusted domain.