SAMLOGON UDP request
Andrej Borsenkow
borsenkow.msk at sni.de
Mon Dec 14 10:34:33 GMT 1998
>
> Yep, I'm curious to see the network trace when you establish the trust
> relationship
>
Well, I have here the traces for initial trust and access from a user of
trusted domain. Looks pretty much as I thought. On initial trust you
manually create account for _trusting_ domain in _trusted_ domain and give
it initial password. When you now define trusted domain on trusting one, it
first queries DOMAIN<1B> names, then sends query for PDC on this address ...
no domain or SID ... gets response with the name of PDC (again, no domain or
SID) and then (after some sesssetupX) the MSRPC stuff begins :) But I
suspect it is simply to change initial password (it connects to lsarpc)
Funnily, it tries to setupX with DOMAIN$ and Admninistrator ... may be, the
former is really a check, if trust account exists.
When you access trusting domain from trusted one, it connects to NETLOGON
trusted domain controller; it speaks again RPC (sigh ...), but in any case,
the first access to NETLOGON has somewhere string DOMAIN$, so I suspect, it
first verifies trust account and then authenticates user ...
It bothers me, that I have not seen, how it finds domain controller of
trusted domain ... but may be I missed it ... netmon does not show
broadcasts from other stations and I did not run it all the time.
Anybody interested in these?
/andrej
More information about the samba-technical
mailing list