"Faking" an AD Join.

Dave Daugherty dave.daugherty at centrify.com
Wed Dec 19 00:26:29 GMT 2007

From: Christopher R. Hertel [mailto:crh at ubiqx.mn.org] 
Sent: Tuesday, December 18, 2007 3:49 PM

> The pass-through system I'm thinking about doesn't need a secure
> It's the old pass-through in which the server mimics the user trying
to log
> on, but tries to log on to the DC.  The challenge and response are
> through" the server like a man-in-the-middle attack.  Won't work with
> signing.

The only packet you are expected to sign will be the smbclose and who
cares if a windows 2k3 domain controller rejects that.  You just
immediately disconnect.

Since with this scheme you can't get group membership - you probably
have to assign/create a primary group when you are creating the new unix
attributes for the ad user.

Dave Daugherty

More information about the samba-technical mailing list