Authentication through transitive trusts
rsharpe at richardsharpe.com
Thu Jul 17 22:42:15 GMT 2003
On Thu, 17 Jul 2003, Richard Sharpe wrote:
> > > Here you go. Similar setup:
> > >
> > > 10.0.0.204 - "WIN1" - Windows 2000 (SP4) AD Server, domain WIN1DOM
> > >
> > > 10.0.0.189 - "KJCWINXP" - Windows XP Pro Client, a member of WIN1DOM
> > >
> > > It shows KJCWINXP connecting to the "Program Files" share on WIN1. It looks
> > > like it negotiated "MS KRB5" protocol.
> > OK, apart from the long-file name bit that I mentioned before, here is/are
> > some further difference(s) between Samba and Win2K ...
> > 1. Win2K offers an additional OID in the NegProt Response:
> > 1.2.840.1135188.8.131.52, which looks strange as it is a
> > sub-oid of KRB5. Ethereal does not know of it ATM.
> > 2. In the session setup&X, the MechType offers MS KRB5, KRB5, and
> > NTLMSSP, in that order.
> Clearly, however, the AD-enabled client must be making the decision based
> solely on the NegProt response ...
OK, further differences:
1. Windows sends back a session key of 0 in the NegProt response, Samba
2. Windows sets security bits to include signatures, Samba does not.
3. Windows returns the OIDs in the negTokenInit mechType with MS KRB5
first, while Samba has KRB5 first.
Richard Sharpe, rsharpe[at]ns.aus.com, rsharpe[at]samba.org,
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 59787 bytes
Url : http://lists.samba.org/archive/samba-technical/attachments/20030717/1c321e74/kjc1.obj
More information about the samba-technical