NT Domain authentication.
Andrew Bartlett
abartlet at samba.org
Sun Oct 26 03:02:51 GMT 2003
On Sun, 2003-10-26 at 06:08, Christopher R. Hertel wrote:
> I am aware of two methods of NT Domain authentication.
>
> The first is pass-through (security=server) mode, in which the client thinks
> it is logging into a server, but the server is passing the
> challenge/response through to a DC.
>
> The second is a NetLogon (security=domain).
>
> Some clients (eg., a W2K) will perform a "domain logon", which uses the NT
> Domain account as the authentication source for allowing a user to log on to
> the client box. That is, getting to the desktop requires authentication
> against the DC. No biggie.
>
> Question is: Once the user has authenticated against the DC, does the
> client OS keep track of some token or other in order to
> simplify logons to domain member servers?
>
> I imagine that the client might cache the user's credentials
> (username/password or username/hash) but, as I understand it, there is no
> token or ticket-based mechanism (a. la. Kerberos) employed in the NT Domain
> system.
No token is stored, and NTLM authentication works in almost the same way
it would had the 'domain logon' not happened, and just uses the cached
username/password.
Indeed MS got 'bitten' at one point by the fact that the location that
the cleartext username/pw were stored was accessible by normal programs
in Win9X... (Naturally, this isn't an issue in a real OS like NT)
Andrew Bartlett
--
Andrew Bartlett abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team abartlet at samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20031026/b46a128a/attachment.bin
More information about the samba-technical
mailing list