"Faking" an AD Join.
Christopher R. Hertel
crh at ubiqx.mn.org
Tue Dec 18 23:49:26 GMT 2007
Dave Daugherty wrote:
>> On Behalf Of Christopher R. Hertel
>> Sent: Tuesday, December 18, 2007 3:15 PM
>>
>> Okay, another one...
>>
>> Other than 'security=server', is there any way to perform
>> authentication against an Active Directory Domain Controller
>> if the admins won't allow me to join my machine to the domain?
>>
>> I'm thinking not, but I'd love to be proven wrong.
>>
>> If security=server is the only option, then I still need a mechanism
>> for mapping IDs, possibly based on username alone (or the
>> Domain/Username combo). That mapping would need to be stored
>> somewhere (OpenLDAP?) so that it is consistent across multiple
>> servers.
>>
>> What insight can people provide?
>>
>> Chris -)-----
>
> If you had a windows XP machine will they allow you to join that? If so,
> what's the difference?
Test vs. Prod, I guess. I'm actually three steps removed. The sales team
is on-site, they're talking to the support guy, and the support guy is
talking to me. I'm actually rather impressed by the reports I see coming
from the sales team. They've got clue.
> Without a real join, I think Kerberos is out. If they give you a user
> name and password so you can establish a secure channel, then you can do
> NTLM pass-through authentication, and parse the response to get the
> user's group list. Samba already has a "winbind_idmap.tdb" file that
> you can high-jack to create your own mappings.
The pass-through system I'm thinking about doesn't need a secure channel.
It's the old pass-through in which the server mimics the user trying to log
on, but tries to log on to the DC. The challenge and response are "passed
through" the server like a man-in-the-middle attack. Won't work with signing.
> Seems like a lot of hacking, but I think it could be made to work.
I'm still gathering information from the folks on-site. I'll see where it goes.
Thanks!
Chris -)-----
--
"Implementing CIFS - the Common Internet FileSystem" ISBN: 013047116X
Samba Team -- http://www.samba.org/ -)----- Christopher R. Hertel
jCIFS Team -- http://jcifs.samba.org/ -)----- ubiqx development, uninq
ubiqx Team -- http://www.ubiqx.org/ -)----- crh at ubiqx.mn.org
OnLineBook -- http://ubiqx.org/cifs/ -)----- crh at ubiqx.org
More information about the samba-technical
mailing list