Domain Join w/ SChannel GSS-API Kerberos for JCIFS

Michael B Allen mba2000 at
Mon Nov 15 07:57:09 GMT 2004

On Mon, 15 Nov 2004 16:48:03 +1100
Andrew Bartlett <abartlet at> wrote:

> >   1) Join the domain
> >   2) DCE bind w/ schannel
> >   3) Do GSS-API to get Kerberos ticket
> >   4) Send blob from ticket to KDC to get group membership
> >   5) Do ACL stuff
> This is incorrect.  Instead:
> 1) Join the domain (or have somebody else supply a keytab, via ktpass or
> samba)
> 2) User peforms a kerberos login to your software
> 3) Extract and verify the PAC, inside your software
> 4) Do ACL stuff
> If you don't have a kerberos ticket, but instead a username/password,
> you just do the kerberos login yourself.
> You only need to actively talk to the DC for NTLM authentication

Okay, so to actually authenticate I can just do Kerberos without doing any
SMB whatsoever?

At any point do I need to do/benifit from NETLOGON?

Or do I do SessionSetupAndX extended security with just the data in the
Kerberos ticket/blob/PAC?


Greedo shoots first? Not in my Star Wars.

More information about the samba-technical mailing list