"Faking" an AD Join.
Dave Daugherty
dave.daugherty at centrify.com
Wed Dec 19 00:26:29 GMT 2007
From: Christopher R. Hertel [mailto:crh at ubiqx.mn.org]
Sent: Tuesday, December 18, 2007 3:49 PM
> The pass-through system I'm thinking about doesn't need a secure
channel.
> It's the old pass-through in which the server mimics the user trying
to log
> on, but tries to log on to the DC. The challenge and response are
"passed
> through" the server like a man-in-the-middle attack. Won't work with
> signing.
The only packet you are expected to sign will be the smbclose and who
cares if a windows 2k3 domain controller rejects that. You just
immediately disconnect.
Since with this scheme you can't get group membership - you probably
have to assign/create a primary group when you are creating the new unix
attributes for the ad user.
Dave Daugherty
More information about the samba-technical
mailing list