I have a web application written in PHP where I would like to allow existing users to log into Windows computers, too. Re-hash of their passwords is doable (by requesting them to change the password). And to solve desync of passwords, I intend to have webapp authenticate users primarily against the domain.
I don't want to give webapp users accounts on the existing domain, which we can call example.local. Instead, I want to provide them accounts on a new domain, let's call it webapp.example.local.
From some research I have done, setting up a Samba4 domain and joining computers into this webapp.example.local domain would be one way to allow webapp users to log in. But, the computers should be members of the example.local domain.
How can I get computers that are members of and are authenticating against Windows 2008-based example.local to also authenticate users against webapp.example.local?
Magic keywords seem to be "trust relationship", "forest", etc, but at this point I haven't found a concrete example on how to establish this trust.
I'm not an expert on Samba4, so I cannot evaluate the limits of your design at that point. But from the AD point of view, what you want can be achieved using two separate domains and stablishing the trust relationship between both domains, so you are right on this point.
IMHO if you want two different domains, one for production (example.local) and another for resource management (webapp.example.local), bearing in mind that those two domains are hosted by different techologies (Native Microsoft AD and SAMBA4) should be better to set them in a non-contiguous DNS namespace, like example.local for production and resources.local for resource management. It's just a personal preference for AD management and not a real technical limitation.
Nevertheless I hope you could find usefull these two next links:
TechNet: Understanding Trust Types TechNet: Creating External Trusts
Hope it helps!