Authentication through transitive trusts

Richard Sharpe rsharpe at richardsharpe.com
Thu Jul 17 22:42:15 GMT 2003


On Thu, 17 Jul 2003, Richard Sharpe wrote:

> > > Here you go.  Similar setup:
> > > 
> > >   10.0.0.204 - "WIN1" - Windows 2000 (SP4) AD Server, domain WIN1DOM
> > >  
> > >   10.0.0.189 - "KJCWINXP" - Windows XP Pro Client, a member of WIN1DOM
> > > 
> > > It shows KJCWINXP connecting to the "Program Files" share on WIN1.  It looks
> > > like it negotiated "MS KRB5" protocol.
> > 
> > OK, apart from the long-file name bit that I mentioned before, here is/are 
> > some further difference(s) between Samba and Win2K ...
> > 
> > 1. Win2K offers an additional OID in the NegProt Response:
> > 	1.2.840.113554.2.2.3, which looks strange as it is a 
> > 	sub-oid of KRB5. Ethereal does not know of it ATM.
> > 
> > 2. In the session setup&X, the MechType offers MS KRB5, KRB5, and 
> >    NTLMSSP, in that order.
> 
> Clearly, however, the AD-enabled client must be making the decision based 
> solely on the NegProt response ... 

OK, further differences:

1. Windows sends back a session key of 0 in the NegProt response, Samba 
does not.

2. Windows sets security bits to include signatures, Samba does not.

3. Windows returns the OIDs in the negTokenInit mechType with MS KRB5 
first, while Samba has KRB5 first.

Regards
-----
Richard Sharpe, rsharpe[at]ns.aus.com, rsharpe[at]samba.org, 
sharpe[at]ethereal.com, http://www.richardsharpe.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: kjc1.cap
Type: application/octet-stream
Size: 59787 bytes
Desc: 
Url : http://lists.samba.org/archive/samba-technical/attachments/20030717/1c321e74/kjc1.obj


More information about the samba-technical mailing list