Windows clients and NT domain membership.
Christopher R. Hertel
crh at ubiqx.mn.org
Wed Nov 5 17:57:57 GMT 2003
On Wed, Nov 05, 2003 at 08:11:15AM -0800, Matt Seitz wrote:
> Christopher R. Hertel wrote:
> >If there's a Windows system (NT, 2k, etc.) that is a Domain member, and if
> >that system is used as a desktop client system, what benefits (if any) does
> >the desktop user gain?
>
> Easier access to other machines in the domain. If the machine is a domain
> member, and the user logs in with his domain account, then the user can
> access other machines in the domain without having to enter a different
> account name and password.
>
> It is possible to get the same effect by creating a local account with the
> same user name and password. But then you have to keep those accounts
> synchronized.
Right.
My question is a little more detailed, though. I have heard some folks
claim that once the client logs on to the domain there is no need to log
on to individual domain member servers.
>From the user's perspective that may be true, but I believe it is because
the client caches the credentials. I believe that, upon connecting to a
new SMB server (a domain member server), the client must still go through
the SMB logon process, and the SMB server still performs the
\\PIPE\NETLOGON authentication step.
That's what I got from re-reading the documentation that's available after
I posted last night.
I've read a few things which state that NT Domains pass "tokens" that
allow the client to authenticate with servers without having to re-submit
credentials (even cached credentials). That model applies to Kerberos
authentication, certainly, but I don't have any evidence that anything
like that is outside of Kerberos.
Thanks for the reply!
Chris -)-----
--
"Implementing CIFS - the Common Internet FileSystem" ISBN: 013047116X
Samba Team -- http://www.samba.org/ -)----- Christopher R. Hertel
jCIFS Team -- http://jcifs.samba.org/ -)----- ubiqx development, uninq.
ubiqx Team -- http://www.ubiqx.org/ -)----- crh at ubiqx.mn.org
OnLineBook -- http://ubiqx.org/cifs/ -)----- crh at ubiqx.org
More information about the samba-technical
mailing list