SAMLOGON UDP request
Luke Kenneth Casson Leighton
lkcl at switchboard.net
Mon Dec 14 17:54:49 GMT 1998
On Mon, 14 Dec 1998, Andrej Borsenkow wrote:
> > Yep, I'm curious to see the network trace when you establish the trust
> > relationship
> Well, I have here the traces for initial trust and access from a user of
> trusted domain. Looks pretty much as I thought. On initial trust you
> manually create account for _trusting_ domain in _trusted_ domain and give
> it initial password. When you now define trusted domain on trusting one, it
> first queries DOMAIN<1B> names, then sends query for PDC on this address ...
> no domain or SID ... gets response with the name of PDC (again, no domain or
> SID) and then (after some sesssetupX) the MSRPC stuff begins :) But I
> suspect it is simply to change initial password (it connects to lsarpc)
> Funnily, it tries to setupX with DOMAIN$ and Admninistrator ... may be, the
> former is really a check, if trust account exists.
check the SMBsessionsetupX error code: it will be either
"NT_STATUS_ACCESS_DENIED" or "NT_STATUS_NOLOGON_INTERDOMAIN_ACCOUNT".
> When you access trusting domain from trusted one, it connects to NETLOGON
> trusted domain controller; it speaks again RPC (sigh ...), but in any case,
> the first access to NETLOGON has somewhere string DOMAIN$, so I suspect, it
> first verifies trust account and then authenticates user ...
it't a NetSamLogon, with the DOMAIN_NAME$ and the initial password above,
as if it was a "user" account. the connection is maintained, therefore
the "DOMAIN_NAME" account is logged in, therefore you have established a
one-way trust link.
More information about the samba-technical