"Faking" an AD Join.

Christopher R. Hertel crh at ubiqx.mn.org
Tue Dec 18 23:49:26 GMT 2007

Dave Daugherty wrote:
>> On Behalf Of Christopher R. Hertel
>> Sent: Tuesday, December 18, 2007 3:15 PM
>> Okay, another one...
>> Other than 'security=server', is there any way to perform
>> authentication against an Active Directory Domain Controller
>> if the admins won't allow me to join my machine to the domain?
>> I'm thinking not, but I'd love to be proven wrong.
>> If security=server is the only option, then I still need a mechanism
>> for mapping IDs, possibly based on username alone (or the
>> Domain/Username combo).  That mapping would need to be stored
>> somewhere (OpenLDAP?) so that it is consistent across multiple
>> servers.
>> What insight can people provide?
>> Chris -)-----
> If you had a windows XP machine will they allow you to join that? If so,
> what's the difference?

Test vs. Prod, I guess.  I'm actually three steps removed.  The sales team
is on-site, they're talking to the support guy, and the support guy is
talking to me.  I'm actually rather impressed by the reports I see coming
from the sales team.  They've got clue.

> Without a real join, I think Kerberos is out.  If they give you a user
> name and password so you can establish a secure channel, then you can do
> NTLM pass-through authentication, and parse the response to get the
> user's group list.  Samba already has a "winbind_idmap.tdb" file that
> you can high-jack to create your own mappings.

The pass-through system I'm thinking about doesn't need a secure channel.
It's the old pass-through in which the server mimics the user trying to log
on, but tries to log on to the DC.  The challenge and response are "passed
through" the server like a man-in-the-middle attack.  Won't work with signing.

> Seems like a lot of hacking, but I think it could be made to work.

I'm still gathering information from the folks on-site.  I'll see where it goes.


Chris -)-----

"Implementing CIFS - the Common Internet FileSystem"    ISBN: 013047116X
Samba Team -- http://www.samba.org/    -)-----     Christopher R. Hertel
jCIFS Team -- http://jcifs.samba.org/  -)-----  ubiqx development, uninq
ubiqx Team -- http://www.ubiqx.org/    -)-----          crh at ubiqx.mn.org
OnLineBook -- http://ubiqx.org/cifs/   -)-----             crh at ubiqx.org

More information about the samba-technical mailing list