Domain Join w/ SChannel GSS-API Kerberos for JCIFS

Michael B Allen mba2000 at
Mon Nov 15 04:09:15 GMT 2004

I'm not very strong with protocol details so I thought I could ask a
question here considering you guys have deciphered and implemented a lot
of this stuff.

For JCIFS 2.0 I want to rebuild the library around a modern security
system. To determine what I need to do I have a single use-case that I
think touches on most of the important pieces. The use-case is to logon to
a Kerberos domain, obtain the PAC for the user, and from that determine if
she is a member of a certain group. My rough understanding of what needs
to happen to do this is as follows:

  1) Join the domain
  2) DCE bind w/ schannel
  3) Do GSS-API to get Kerberos ticket
  4) Send blob from ticket to KDC to get group membership
  5) Do ACL stuff

We have ncacn_np RPCs workin' pretty well at this point. I've been looking
at the GSS-API RFC on the train (man it's long-winded!). I have a few
packet captures of pass-through authentication. Ideally I want to write a
Win32 program that performs the entire exchange against Samba so I can run
it over and over from the beginning (initially with schannel turned off).
Can someone describe the exact sequence of calls I need? What's a good

Considering how pervasive Java and MS are on large corporate Intranets,
fully integrating the two while retaining platform independence would be a
great alternative to .NET. I greatly appreciate any help.


More information about the samba-technical mailing list