Windows clients and NT domain membership.

Christopher R. Hertel crh at
Wed Nov 5 19:45:45 GMT 2003

On Wed, Nov 05, 2003 at 11:04:19AM -0800, Matt Seitz wrote:
> Christopher R. Hertel wrote:
> >I've read a few things which state that NT Domains pass "tokens" that 
> >allow the client to authenticate with servers without having to re-submit 
> >credentials (even cached credentials).  That model applies to Kerberos 
> >authentication, certainly, but I don't have any evidence that anything 
> >like that is outside of Kerberos.
> That is my understanding, too.  Perhaps the token idea came out of a 
> misunderstanding about how the NETLOGON method allows a member server to 
> authenticate a user, as opposed to the Pass-Through method that requires 
> the member server to forward the authentication request to a domain 
> controller.

A good guess.  I re-read the Philip C. Cox/Paul B. Hill paper covering 
NETLOGON just to be sure I had my head on straight.

I am still curious about the differences between W9x/Me/XP-Home vs. 
NT/2kx/XP-Pro.  I need to set up a domain some time so I can see how a 
W9x-type system does authentication when it's a "member" of the domain.


Chris -)-----

"Implementing CIFS - the Common Internet FileSystem" ISBN: 013047116X
Samba Team --     -)-----   Christopher R. Hertel
jCIFS Team --   -)-----   ubiqx development, uninq.
ubiqx Team --     -)-----   crh at
OnLineBook --    -)-----   crh at

More information about the samba-technical mailing list