Windows clients and NT domain membership.
rsharpe at richardsharpe.com
Wed Nov 5 21:22:07 GMT 2003
On Wed, 5 Nov 2003, Christopher R. Hertel wrote:
> On Wed, Nov 05, 2003 at 11:04:19AM -0800, Matt Seitz wrote:
> > Christopher R. Hertel wrote:
> > >I've read a few things which state that NT Domains pass "tokens" that
> > >allow the client to authenticate with servers without having to re-submit
> > >credentials (even cached credentials). That model applies to Kerberos
> > >authentication, certainly, but I don't have any evidence that anything
> > >like that is outside of Kerberos.
> > That is my understanding, too. Perhaps the token idea came out of a
> > misunderstanding about how the NETLOGON method allows a member server to
> > authenticate a user, as opposed to the Pass-Through method that requires
> > the member server to forward the authentication request to a domain
> > controller.
> A good guess. I re-read the Philip C. Cox/Paul B. Hill paper covering
> NETLOGON just to be sure I had my head on straight.
I believe that in an AD network, domain members do not need to
re-authenticate the logging on user with a DC/AD-server because an
AD-client machine that understands KRB5 passes a PAC in the security blob,
and that pac contains the user's SID and the group SIDs of all groups
(flattened) that the user is a member of, and the PAC is signed by the
I am lead to believe that we do not make any use of the PAC at this point,
so we have to go through the NETLOGON dance.
> I am still curious about the differences between W9x/Me/XP-Home vs.
> NT/2kx/XP-Pro. I need to set up a domain some time so I can see how a
> W9x-type system does authentication when it's a "member" of the domain.
Win9X does not join a domain in anything like the way that WinNT and above
does, however, I believe you can get updates.
> Chris -)-----
Richard Sharpe, rsharpe[at]ns.aus.com, rsharpe[at]samba.org,
More information about the samba-technical