SAMLOGON UDP request

Luke Kenneth Casson Leighton lkcl at switchboard.net
Fri Dec 11 18:26:06 GMT 1998


On Fri, 11 Dec 1998, Andrej Borsenkow wrote:

> 
> >
> > provided (thanks!) by andrej, here is an example SAMLOGON request which
> > contains a domain SID and a workstation trust account name. to answer
> > these correctly, we will need getsmbpwnam() calls in nmbd, methinks.
> >
> 
> This logon request has also some bits that are not used currently. It
> explicitly sets "workstation trust account" bit. Do we have this currently
> in smbpasswd?

yes.

> This can eliminate need to have "users" for workstations in
> /etc/passwd at all.

not really.  jeremy wanted to enforce the link between unix accounts and
smbpasswd entries.  whilst this is not strictly necessary, as a trust
account is never allowed to log in (see
smbd/reply.c::session_trust_account) it does mean that each and every
smbpasswd's unix uid is consistent.
 
> And now I begin to understand how trust work ... It creates account for
> trusting domain in trusted domain (yes, we have trust here) and when it gets
> session setup for user from trusted domain, it sends SAMLOGON with "domain
> trust account" bit set, and then simply uses passthrough authentication ...
> Sounds easy, eh ?

uh... i am thick, i do not understand.



More information about the samba-technical mailing list