browsing in AD
Gerald Carter
gcarter at valinux.com
Sun May 13 02:50:14 GMT 2001
Here is my current understanding on browsing in AD. I'll limit my
comments to browsing file shares and ignore printers for the moment.
In order to browse a domain, the Win2k client fist must use
DNS queries to locate the DC (exact SRV RR records names are
documented inthe Win2k Server RK). Once a DC is located
(All DC's contain a copy of domain's AD), the client can perform an
ldapsearch for (objectclass=serviceConnectionPoint).
To understand how the security works, remember clients are required
to be authorized in order to publish information in AD.
Authentication is handled by Kerberos and tickets. Objects in
AD have an associated ACL which controls whether or not a client
is allowed to publish or retreive information.
So this is way overly simplified, but I think you get the general
idea. Does this jive with others concept of it?
Cheers, jerry
----------------------------------------------------------------------
/\ Gerald (Jerry) Carter Professional Services
\/ http://www.valinux.com/ VA Linux Systems gcarter at valinux.com
http://www.samba.org/ SAMBA Team jerry at samba.org
http://www.plainjoe.org/ jerry at plainjoe.org
"...a hundred billion castaways looking for a home."
- Sting "Message in a Bottle" ( 1979 )
More information about the samba-technical
mailing list