On Sunday 24 February 2002 01:58, Robert Collins wrote:
> > b) Why isn't the negotiate packet sent to the helper? Doesn't the
> > DC need the users domain name to generate a correct challenge in
> > case of trust relations or multi-domain configurations?
>
> No. The authenticating workstation uses the secure channel to pass
> the triple (challenge,result,user) to a domain controller of it's
> domain, which then passes the same to the correct domain if the
> user is not in it's domain.
I think you should even if it is not needed for the current NTLMSSP
or winbind helpers. If you do then one can easily write a
multi-domain NTLMSSP helper without the need of trust relations by
simply having a domain->dc translation table in the helper.
And are you absolutely sure the domain isn't used wheng enerating the
NTLMSSP challenge, for any purpose?
Regards
Henrik
Received on Sat Feb 23 2002 - 18:46:51 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:14:48 MST