programming question: authenticating to a domain controller (fwd)
Luke Kenneth Casson Leighton
lkcl at switchboard.net
Sat Apr 4 15:32:59 GMT 1998
<a href="mailto:lkcl at samba.anu.edu.au" > Luke Kenneth Casson Leighton </a>
<a href="http://mailhost.cb1.com/~lkcl"> Samba and Network Development </a>
<a href="http://www.samba.co.uk" > Samba and Network Consultancy </a>
---------- Forwarded message ----------
Date: Sat, 4 Apr 1998 16:32:40 +0100 (BST)
From: Luke Kenneth Casson Leighton <lkcl at switchboard.net>
To: "Jens B. Jorgensen" <jjorgens at bdsinc.com>
Subject: Re: programming question: authenticating to a domain controller
On Fri, 3 Apr 1998, Jens B. Jorgensen wrote:
> Some more...
>
> Luke Kenneth Casson Leighton wrote:
>
> > On Thu, 2 Apr 1998, Jens B. Jorgensen wrote:
> >
> > > Whoa. That works alright. Cool stuff. How come lsaquery must come first? Is
> > > there info gleaned which is used int the subsequent 'ntlogin'.
> >
> > yep: the SID.
> >
> > > Also, is it
> > > necessary that the computer be a member of the domain?
> >
> > yep.
> >
> > > If so, should it be
> > > necessary?
> >
> > yep, for security reasons: you can't fake a login from an unregistered
> > computer, basically. same as with NIS+.
> >
>
> Hmmm, I don't see why not. Unless there's some shared secret key or public/private
> keys which are kept on both systems I don't see why you couldn't fake membership.
there is: each machine, as mentioned, has its own user account, with an NT
16 byte clear-text equivalent hash, just like "physical" users have.
yes, you could concievably fake membership by pretending to be another
machine when you are not.
> It would seem that all you need do is claim to be another computer which is a
> member of the domain, right?
yes, you could. so all we need to do to counter this is to do a
reverse-netbios-lookup on the caller's ip address. if name is different,
refuse connection.
luke
More information about the samba-technical
mailing list