Domain Join w/ SChannel GSS-API Kerberos for JCIFS
Michael B Allen
mba2000 at ioplex.com
Mon Nov 15 07:57:09 GMT 2004
On Mon, 15 Nov 2004 16:48:03 +1100
Andrew Bartlett <abartlet at samba.org> wrote:
> > 1) Join the domain
> > 2) DCE bind w/ schannel
> > 3) Do GSS-API to get Kerberos ticket
> > 4) Send blob from ticket to KDC to get group membership
> > 5) Do ACL stuff
>
> This is incorrect. Instead:
>
> 1) Join the domain (or have somebody else supply a keytab, via ktpass or
> samba)
> 2) User peforms a kerberos login to your software
> 3) Extract and verify the PAC, inside your software
> 4) Do ACL stuff
>
> If you don't have a kerberos ticket, but instead a username/password,
> you just do the kerberos login yourself.
>
> You only need to actively talk to the DC for NTLM authentication
Okay, so to actually authenticate I can just do Kerberos without doing any
SMB whatsoever?
At any point do I need to do/benifit from NETLOGON?
Or do I do SessionSetupAndX extended security with just the data in the
Kerberos ticket/blob/PAC?
Thanks,
Mike
--
Greedo shoots first? Not in my Star Wars.
More information about the samba-technical
mailing list