browsing in AD

Gerald Carter gcarter at
Sun May 13 02:50:14 GMT 2001

Here is my current understanding on browsing in AD.  I'll limit my
comments to browsing file shares and ignore printers for the moment.

In order to browse a domain, the Win2k client fist must use
DNS queries to locate the DC (exact SRV RR records names are
documented inthe Win2k Server RK).  Once a DC is located
(All DC's contain a copy of domain's AD), the client can perform an
ldapsearch for (objectclass=serviceConnectionPoint).

To understand how the security works, remember clients are required
to be authorized in order to publish information in AD.
Authentication is handled by Kerberos and tickets.  Objects in
AD have an associated ACL which controls whether or not a client
is allowed to publish or retreive information.

So this is way overly simplified, but I think you get the general
idea.  Does this jive with others concept of it?

Cheers, jerry
   /\  Gerald (Jerry) Carter                     Professional Services
 \/  VA Linux Systems   gcarter at       SAMBA Team          jerry at                     jerry at

       "...a hundred billion castaways looking for a home."
                                - Sting "Message in a Bottle" ( 1979 )

More information about the samba-technical mailing list