SAMLOGON UDP request
Luke Kenneth Casson Leighton
lkcl at switchboard.net
Fri Dec 11 18:26:06 GMT 1998
On Fri, 11 Dec 1998, Andrej Borsenkow wrote:
> > provided (thanks!) by andrej, here is an example SAMLOGON request which
> > contains a domain SID and a workstation trust account name. to answer
> > these correctly, we will need getsmbpwnam() calls in nmbd, methinks.
> This logon request has also some bits that are not used currently. It
> explicitly sets "workstation trust account" bit. Do we have this currently
> in smbpasswd?
> This can eliminate need to have "users" for workstations in
> /etc/passwd at all.
not really. jeremy wanted to enforce the link between unix accounts and
smbpasswd entries. whilst this is not strictly necessary, as a trust
account is never allowed to log in (see
smbd/reply.c::session_trust_account) it does mean that each and every
smbpasswd's unix uid is consistent.
> And now I begin to understand how trust work ... It creates account for
> trusting domain in trusted domain (yes, we have trust here) and when it gets
> session setup for user from trusted domain, it sends SAMLOGON with "domain
> trust account" bit set, and then simply uses passthrough authentication ...
> Sounds easy, eh ?
uh... i am thick, i do not understand.
More information about the samba-technical