Authentication through transitive trusts

Richard Sharpe rsharpe at
Thu Jul 17 18:42:56 GMT 2003

On Thu, 17 Jul 2003, Ken Cross wrote:

> Steve:
> I think we're talking apples and oranges.
> The "AD-enabled client" doesn't connect to the AD server, it connects to
> Samba.  And unless I'm badly mistaken (which I'd *love* to be), the client
> does not use Kerberos to connect to Samba, it uses NTLM.  (NTLMSSP? SPNEGO?)

Hmmm, do you have a sniff of this? 
I would have thought that an AD-enabled client would have authenticated 
with the KDC and received a service ticket for the SMB server it wants to 
contact, which it should wrap up in the SPNEGO stuff in the session 
setup&X etc.

Hmmm, the details start to get difficult after that.

Richard Sharpe, rsharpe[at], rsharpe[at], 

More information about the samba-technical mailing list