"Secure" channel demystifying?

[Dimitry V. Ketov]

Hi, samba hackers!

Sorry if my post is an off-topic here, but there is no other best place
to ask :)

As I know domain controllers and domain members use so-called "secure"
(but actually just machine-to machine authenticated) channel in netlogon
protocol for communications. For the (my) first sight it's rather
strange, in comparison with the "usual" method to authenticate the
_entity_ wich accesses information (e.g. user that logons).

All I can guess for this is authentication and authorization for DCs
replications, inter-domain requests and so on, that is possible without
any user intervention (and therefore without any user's account, just by
using machine's accounts). But what reasons to use that "secure" channel
for the real user logon purposes?

Spent some time looked for an answer (why that additional "security" is
needed) in the web sources (including microsoft), and found nothing
illustrative to prove my guesses, I've decided to ask this list for an
explanation. :)

- Is my guesses right or wrong?
- In which cases that "secure" (just authenticated) channel used?
- Give me some good points to information/documentation...

PS. Yes, I'm aware of today's secure channel signing and cyphering ;)

Thanks in advance,
Dimitry.