NT Domain authentication.

Andrew Bartlett abartlet at samba.org
Sun Oct 26 03:02:51 GMT 2003 

On Sun, 2003-10-26 at 06:08, Christopher R. Hertel wrote:
> I am aware of two methods of NT Domain authentication.
> 
> The first is pass-through (security=server) mode, in which the client thinks
> it is logging into a server, but the server is passing the
> challenge/response through to a DC.
> 
> The second is a NetLogon (security=domain).
> 
> Some clients (eg., a W2K) will perform a "domain logon", which uses the NT
> Domain account as the authentication source for allowing a user to log on to
> the client box.  That is, getting to the desktop requires authentication
> against the DC.  No biggie.
> 
> Question is:  Once the user has authenticated against the DC, does the
>               client OS keep track of some token or other in order to
>               simplify logons to domain member servers?
> 
> I imagine that the client might cache the user's credentials
> (username/password or username/hash) but, as I understand it, there is no
> token or ticket-based mechanism (a. la. Kerberos) employed in the NT Domain
> system.

No token is stored, and NTLM authentication works in almost the same way
it would had the 'domain logon' not happened, and just uses the cached
username/password.  

Indeed MS got 'bitten' at one point by the fact that the location that
the cleartext username/pw were stored was accessible by normal programs
in Win9X...  (Naturally, this isn't an issue in a real OS like NT)

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20031026/b46a128a/attachment.bin

More information about the samba-technical mailing list