Windows clients and NT domain membership.

Richard Sharpe rsharpe at
Wed Nov 5 21:22:07 GMT 2003

On Wed, 5 Nov 2003, Christopher R. Hertel wrote:

> On Wed, Nov 05, 2003 at 11:04:19AM -0800, Matt Seitz wrote:
> > Christopher R. Hertel wrote:
> > >I've read a few things which state that NT Domains pass "tokens" that 
> > >allow the client to authenticate with servers without having to re-submit 
> > >credentials (even cached credentials).  That model applies to Kerberos 
> > >authentication, certainly, but I don't have any evidence that anything 
> > >like that is outside of Kerberos.
> > 
> > That is my understanding, too.  Perhaps the token idea came out of a 
> > misunderstanding about how the NETLOGON method allows a member server to 
> > authenticate a user, as opposed to the Pass-Through method that requires 
> > the member server to forward the authentication request to a domain 
> > controller.
> A good guess.  I re-read the Philip C. Cox/Paul B. Hill paper covering 
> NETLOGON just to be sure I had my head on straight.

I believe that in an AD network, domain members do not need to 
re-authenticate the logging on user with a DC/AD-server because an 
AD-client machine that understands KRB5 passes a PAC in the security blob, 
and that pac contains the user's SID and the group SIDs of all groups 
(flattened) that the user is a member of, and the PAC is signed by the 
I am lead to believe that we do not make any use of the PAC at this point, 
so we have to go through the NETLOGON dance.

> I am still curious about the differences between W9x/Me/XP-Home vs. 
> NT/2kx/XP-Pro.  I need to set up a domain some time so I can see how a 
> W9x-type system does authentication when it's a "member" of the domain.

Win9X does not join a domain in anything like the way that WinNT and above 
does, however, I believe you can get updates.

> Thanks!
> Chris -)-----

Richard Sharpe, rsharpe[at], rsharpe[at], 

More information about the samba-technical mailing list