NT Domain authentication.

Andrew Bartlett abartlet at samba.org
Sun Oct 26 03:02:51 GMT 2003

On Sun, 2003-10-26 at 06:08, Christopher R. Hertel wrote:
> I am aware of two methods of NT Domain authentication.
> The first is pass-through (security=server) mode, in which the client thinks
> it is logging into a server, but the server is passing the
> challenge/response through to a DC.
> The second is a NetLogon (security=domain).
> Some clients (eg., a W2K) will perform a "domain logon", which uses the NT
> Domain account as the authentication source for allowing a user to log on to
> the client box.  That is, getting to the desktop requires authentication
> against the DC.  No biggie.
> Question is:  Once the user has authenticated against the DC, does the
>               client OS keep track of some token or other in order to
>               simplify logons to domain member servers?
> I imagine that the client might cache the user's credentials
> (username/password or username/hash) but, as I understand it, there is no
> token or ticket-based mechanism (a. la. Kerberos) employed in the NT Domain
> system.

No token is stored, and NTLM authentication works in almost the same way
it would had the 'domain logon' not happened, and just uses the cached

Indeed MS got 'bitten' at one point by the fact that the location that
the cleartext username/pw were stored was accessible by normal programs
in Win9X...  (Naturally, this isn't an issue in a real OS like NT)

Andrew Bartlett

Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20031026/b46a128a/attachment.bin

More information about the samba-technical mailing list