I have a web application written in PHP where I would like to allow existing users to log into Windows computers, too. Re-hash of their passwords is doable (by requesting them to change the password). And to solve desync of passwords, I intend to have webapp authenticate users primarily against the domain.

I don't want to give webapp users accounts on the existing domain, which we can call example.local. Instead, I want to provide them accounts on a new domain, let's call it webapp.example.local.

From some research I have done, setting up a Samba4 domain and joining computers into this webapp.example.local domain would be one way to allow webapp users to log in. But, the computers should be members of the example.local domain.

How can I get computers that are members of and are authenticating against Windows 2008-based example.local to also authenticate users against webapp.example.local?

Magic keywords seem to be "trust relationship", "forest", etc, but at this point I haven't found a concrete example on how to establish this trust.