NT Domain authentication.
abartlet at samba.org
Sun Oct 26 03:02:51 GMT 2003
On Sun, 2003-10-26 at 06:08, Christopher R. Hertel wrote:
> I am aware of two methods of NT Domain authentication.
> The first is pass-through (security=server) mode, in which the client thinks
> it is logging into a server, but the server is passing the
> challenge/response through to a DC.
> The second is a NetLogon (security=domain).
> Some clients (eg., a W2K) will perform a "domain logon", which uses the NT
> Domain account as the authentication source for allowing a user to log on to
> the client box. That is, getting to the desktop requires authentication
> against the DC. No biggie.
> Question is: Once the user has authenticated against the DC, does the
> client OS keep track of some token or other in order to
> simplify logons to domain member servers?
> I imagine that the client might cache the user's credentials
> (username/password or username/hash) but, as I understand it, there is no
> token or ticket-based mechanism (a. la. Kerberos) employed in the NT Domain
No token is stored, and NTLM authentication works in almost the same way
it would had the 'domain logon' not happened, and just uses the cached
Indeed MS got 'bitten' at one point by the fact that the location that
the cleartext username/pw were stored was accessible by normal programs
in Win9X... (Naturally, this isn't an issue in a real OS like NT)
Andrew Bartlett abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team abartlet at samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20031026/b46a128a/attachment.bin
More information about the samba-technical