Windows clients and NT domain membership.

[Richard Sharpe]

On Wed, 5 Nov 2003, Christopher R. Hertel wrote:

> On Wed, Nov 05, 2003 at 11:04:19AM -0800, Matt Seitz wrote:
> > Christopher R. Hertel wrote:
> > >I've read a few things which state that NT Domains pass "tokens" that 
> > >allow the client to authenticate with servers without having to re-submit 
> > >credentials (even cached credentials).  That model applies to Kerberos 
> > >authentication, certainly, but I don't have any evidence that anything 
> > >like that is outside of Kerberos.
> > 
> > That is my understanding, too.  Perhaps the token idea came out of a 
> > misunderstanding about how the NETLOGON method allows a member server to 
> > authenticate a user, as opposed to the Pass-Through method that requires 
> > the member server to forward the authentication request to a domain 
> > controller.
> 
> A good guess.  I re-read the Philip C. Cox/Paul B. Hill paper covering 
> NETLOGON just to be sure I had my head on straight.

I believe that in an AD network, domain members do not need to 
re-authenticate the logging on user with a DC/AD-server because an 
AD-client machine that understands KRB5 passes a PAC in the security blob, 
and that pac contains the user's SID and the group SIDs of all groups 
(flattened) that the user is a member of, and the PAC is signed by the 
KDC.
 
I am lead to believe that we do not make any use of the PAC at this point, 
so we have to go through the NETLOGON dance.

> I am still curious about the differences between W9x/Me/XP-Home vs. 
> NT/2kx/XP-Pro.  I need to set up a domain some time so I can see how a 
> W9x-type system does authentication when it's a "member" of the domain.

Win9X does not join a domain in anything like the way that WinNT and above 
does, however, I believe you can get updates.

> Thanks!
> 
> Chris -)-----
> 
> 

-- 
Regards
-----
Richard Sharpe, rsharpe[at]ns.aus.com, rsharpe[at]samba.org, 
sharpe[at]ethereal.com, http://www.richardsharpe.com