[PATCH] [WIP] Connecting to trusted domains using a machine account in the classic DC

Stefan (metze) Metzmacher metze at samba.org
Wed Dec 11 11:53:00 MST 2013

Hi Andrew,

>>> What do you think of this approach?
>> I'd like to do some testing with windows first, using our own machine
>> account
>> and relying on a 2 way trust is ugly, we should only do it if windows
>> also does it.
> The testing was with Windows 2008.  I don't see we have any other option
> other than to rely on the two-way trust, if we want authentication, and
> without authentication we are vulnerable to all sorts of MITM attacks,

No, we just need to implement DCERPC header signing.

> as well as to restrict anonymous issues.  

Maybe, I'd like to see captures of windows failing this way.

> Certainly we need to at least use the stored username/password (which is
> what Samba 3.6 did, somehow).
>> Can you do some captures of windows to windows trusts?
> We can make fair comparisons with AD <-> AD trusts, but Windows NT4 <->
> AD doesn't exist as a modal for comparison any more. 

Why it's still possible to test with nt4 sp6a.

> I will note that the Windows connection back to Samba classic is
> anonymous, and to avoid deadlocks we need to do the same when not
> talking to an Active Directory domain. 

Does it use kerberos in some cases?


More information about the samba-technical mailing list