Our organization's directory configuration:

A standard implementation of IDM 3.6.1 keeps "OUR-eDirTree1" user objects
synchronized with our AD domain users in "OUR-ADdomain1" via the IDM
Identity Vault "OUR-IDVeDirTree1".

A neighboring organization's configuration has their own AD domain.

We've implemented a two-way trust between our AD domain and the other
organization and this has been in effect for about a year.
"OUR-ADdomain1" <--> "THEIR-ADdomain1".

We have an OES2SP3 (presently SLES10SP4 32bit) server in "OUR-eDirTree1"
that provides standard file system access using NSS to all our users. Let's
call this server "OUR-NSS1"

Side Note: We have no problems moving this NSS file system to an OES11
server if needed (in fact, we may do so very soon). The NSS data is a SAN
presented LUN so it would not be very difficult to someday move this NSS
file system to a new OES11 server.


1) What would be the easiest way to allow the AD users in "THEIR-ADdomain1"
to access the NSS file system of a server in "OUR-eDirTree1"?
I'm looking for the least invasive solution to provide this file system
connectivity. I'd like to keep the file system as NSS and someow make it
available to select AD users in "THEIR-ADdomain1" by leveraging the existing
domain trust.

My thoughts:
- Would Novell's Samba implementation on "OUR-NSS1" such that this Samba
server is made a member server of "OUR-ADdomain1" be a solution? Because of
the domain trust in place between "OUR-ADdomain1" and "THEIR-ADdomain1"
would I then be able to explicitly add a user from "THEIR-ADdomain1" to
access our NSS file system?

- If Novell's Samba is not the solution, is there a very non-invasive way to
implement DsFW such that the DsFW is simply made a member server of
"OUR-ADdomain1" in order to again, leverage the existing domain trust with
"THEIR-ADdomain1" ?

Thanks for any help!