Domain Join w/ SChannel GSS-API Kerberos for JCIFS
Andrew Bartlett
abartlet at samba.org
Mon Nov 15 23:13:54 GMT 2004
On Mon, 2004-11-15 at 18:57, Michael B Allen wrote:
> On Mon, 15 Nov 2004 16:48:03 +1100
> Andrew Bartlett <abartlet at samba.org> wrote:
>
> > > 1) Join the domain
> > > 2) DCE bind w/ schannel
> > > 3) Do GSS-API to get Kerberos ticket
> > > 4) Send blob from ticket to KDC to get group membership
> > > 5) Do ACL stuff
> >
> > This is incorrect. Instead:
> >
> > 1) Join the domain (or have somebody else supply a keytab, via ktpass or
> > samba)
> > 2) User peforms a kerberos login to your software
> > 3) Extract and verify the PAC, inside your software
> > 4) Do ACL stuff
> >
> > If you don't have a kerberos ticket, but instead a username/password,
> > you just do the kerberos login yourself.
> >
> > You only need to actively talk to the DC for NTLM authentication
>
> Okay, so to actually authenticate I can just do Kerberos without doing any
> SMB whatsoever?
Yes.
> At any point do I need to do/benifit from NETLOGON?
Not for Kerberos. For NTLM, you would.
> Or do I do SessionSetupAndX extended security with just the data in the
> Kerberos ticket/blob/PAC?
Correct. This is one of the things that makes Kerberos such a useful
system. All you need is the service key.
Andrew Bartlett
--
Andrew Bartlett abartlet at samba.org
Authentication Developer, Samba Team http://samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20041116/5ecd57f3/attachment.bin
More information about the samba-technical
mailing list