"Faking" an AD Join.

Christopher R. Hertel crh at ubiqx.mn.org
Wed Dec 19 16:52:52 GMT 2007

simo wrote:
> So using MITM techniques is preferred than to let a machine join and
> handle higher security levels ?
> Curious.

Heh.  Yeah.

Of course, that's not exactly what's happening.  The reason we're looking at
the MITM approach is that the admins won't let the system join.  If we can
leverage the central AD auth system despite the restrictions, then testing
can go forward and the admins can look a little sheepish.

Dave Daugherty wrote:
> The only packet you are expected to sign will be the smbclose and who
> cares if a windows 2k3 domain controller rejects that.  You just
> immediately disconnect.

That's between the server and the AD controller and yeah, that's right.

I lose track of details sometimes (that's why I write things down) but I
think we'd also have to convince the clients to disable signing.  That may
be do-able.

> Since with this scheme you can't get group membership - you probably
> have to assign/create a primary group when you are creating the new unix
> attributes for the ad user.



Chris -)-----

"Implementing CIFS - the Common Internet FileSystem"    ISBN: 013047116X
Samba Team -- http://www.samba.org/    -)-----     Christopher R. Hertel
jCIFS Team -- http://jcifs.samba.org/  -)-----  ubiqx development, uninq
ubiqx Team -- http://www.ubiqx.org/    -)-----          crh at ubiqx.mn.org
OnLineBook -- http://ubiqx.org/cifs/   -)-----             crh at ubiqx.org

More information about the samba-technical mailing list