winbindd vs. lsarpcd/netlogond

Elrond elrond at samba.org
Thu Jul 13 13:36:48 GMT 2000


On Thu, Jul 13, 2000 at 11:14:42PM +1000, Luke Kenneth Casson Leighton wrote:
> > Okay: I said above, that trust-account-checking is realy
> > the job of netlogond/lsarpcd:
> > 
> 
> it's handled in samba by responding to a NETLOGON request with
> NT_STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT error message.
> 
> this gets passed down from netlogond remotely to domain_client_validate()
> which is called from password_ok() which is called from
> reply_sesssetup_andx.
> 
> in this way, a consistent interface gives the means to validate a trust
> account from an SMBsesssetupX.
> 
> ... which is a security risk that i *think* ms removed in SP6, returning
> NT_STATUS_ACCESS_DENIED instead.

There must also exist an "official way", because netdom can
do it...

But the above could be used, until we know and have
implemented the "official way".


    Elrond


More information about the samba-technical mailing list