Windows clients and NT domain membership.

Christopher R. Hertel crh at ubiqx.mn.org
Wed Nov 5 17:57:57 GMT 2003 

On Wed, Nov 05, 2003 at 08:11:15AM -0800, Matt Seitz wrote:
> Christopher R. Hertel wrote:
> >If there's a Windows system (NT, 2k, etc.) that is a Domain member, and if
> >that system is used as a desktop client system, what benefits (if any) does
> >the desktop user gain?
> 
> Easier access to other machines in the domain.  If the machine is a domain 
> member, and the user logs in with his domain account, then the user can 
> access other machines in the domain without having to enter a different 
> account name and password.
> 
> It is possible to get the same effect by creating a local account with the 
> same user name and password.  But then you have to keep those accounts 
> synchronized.

Right.

My question is a little more detailed, though.  I have heard some folks 
claim that once the client logs on to the domain there is no need to log 
on to individual domain member servers.

>From the user's perspective that may be true, but I believe it is because
the client caches the credentials.  I believe that, upon connecting to a
new SMB server (a domain member server), the client must still go through
the SMB logon process, and the SMB server still performs the
\\PIPE\NETLOGON authentication step.

That's what I got from re-reading the documentation that's available after 
I posted last night.

I've read a few things which state that NT Domains pass "tokens" that 
allow the client to authenticate with servers without having to re-submit 
credentials (even cached credentials).  That model applies to Kerberos 
authentication, certainly, but I don't have any evidence that anything 
like that is outside of Kerberos.

Thanks for the reply!

Chris -)-----

-- 
"Implementing CIFS - the Common Internet FileSystem" ISBN: 013047116X
Samba Team -- http://www.samba.org/     -)-----   Christopher R. Hertel
jCIFS Team -- http://jcifs.samba.org/   -)-----   ubiqx development, uninq.
ubiqx Team -- http://www.ubiqx.org/     -)-----   crh at ubiqx.mn.org
OnLineBook -- http://ubiqx.org/cifs/    -)-----   crh at ubiqx.org

More information about the samba-technical mailing list