programming question: authenticating to a domain controller (fwd)

[Luke Kenneth Casson Leighton]

<a href="mailto:lkcl at samba.anu.edu.au" > Luke Kenneth Casson Leighton  </a>
<a href="http://mailhost.cb1.com/~lkcl"> Samba and Network Development </a>
<a href="http://www.samba.co.uk"       > Samba and Network Consultancy </a>

---------- Forwarded message ----------
Date: Sat, 4 Apr 1998 16:32:40 +0100 (BST)
From: Luke Kenneth Casson Leighton <lkcl at switchboard.net>
To: "Jens B. Jorgensen" <jjorgens at bdsinc.com>
Subject: Re: programming question: authenticating to a domain controller

On Fri, 3 Apr 1998, Jens B. Jorgensen wrote:

> Some more...
> 
> Luke Kenneth Casson Leighton wrote:
> 
> > On Thu, 2 Apr 1998, Jens B. Jorgensen wrote:
> >
> > > Whoa. That works alright. Cool stuff. How come lsaquery must come first? Is
> > > there info gleaned which is used int the subsequent 'ntlogin'.
> >
> > yep: the SID.
> >
> > > Also, is it
> > > necessary that the computer be a member of the domain?
> >
> > yep.
> >
> > > If so, should it be
> > > necessary?
> >
> > yep, for security reasons: you can't fake a login from an unregistered
> > computer, basically.  same as with NIS+.
> >
> 
> Hmmm, I don't see why not. Unless there's some shared secret key or public/private
> keys which are kept on both systems I don't see why you couldn't fake membership.

there is: each machine, as mentioned, has its own user account, with an NT
16 byte clear-text equivalent hash, just like "physical" users have.

yes, you could concievably fake membership by pretending to be another
machine when you are not.

> It would seem that all you need do is claim to be another computer which is a
> member of the domain, right?

yes, you could.  so all we need to do to counter this is to do a
reverse-netbios-lookup on the caller's ip address.  if name is different,
refuse connection.

luke