[PATCH] [WIP] Connecting to trusted domains using a machine account in the classic DC
Stefan (metze) Metzmacher
metze at samba.org
Wed Dec 11 11:53:00 MST 2013
Hi Andrew,
>>> What do you think of this approach?
>>
>> I'd like to do some testing with windows first, using our own machine
>> account
>> and relying on a 2 way trust is ugly, we should only do it if windows
>> also does it.
>
> The testing was with Windows 2008. I don't see we have any other option
> other than to rely on the two-way trust, if we want authentication, and
> without authentication we are vulnerable to all sorts of MITM attacks,
No, we just need to implement DCERPC header signing.
> as well as to restrict anonymous issues.
Maybe, I'd like to see captures of windows failing this way.
> Certainly we need to at least use the stored username/password (which is
> what Samba 3.6 did, somehow).
>
>> Can you do some captures of windows to windows trusts?
>
> We can make fair comparisons with AD <-> AD trusts, but Windows NT4 <->
> AD doesn't exist as a modal for comparison any more.
Why it's still possible to test with nt4 sp6a.
> I will note that the Windows connection back to Samba classic is
> anonymous, and to avoid deadlocks we need to do the same when not
> talking to an Active Directory domain.
Does it use kerberos in some cases?
metze
More information about the samba-technical
mailing list