[OpenAFS-devel] [Win] Status of remote logins

Luke Howard lukeh@padl.com
Sat, 26 Feb 2005 10:22:03 +1100


>The Windows client workstation is joined to a DOMAIN.  It shares a 
>secret with the Domain Controllers.  When the machine boots it looks
>for the Domain Controllers and does machine startup things.
>
>When a user logs in with the name DOMAIN\user, it goes to the domain
>and obtains the account info.
>
>When a user logs in with the name user@KERBEROS, it goes to the domain
>to see if this name is mapped to a Domain account.
>
>It does this via RPCs.

This isn't entirely correct.

The workstation does use RPC to determine the nature of the domains
trusted by the workstation (directly or otherwise). It does this
whenever it reopens the secure channel to the domain controller.

It will always attempt a Kerberos logon unless the domain is downlevel
or the KDC cannot be reached, regardless of whether you logon with as
user@KERBEROS or DOMAIN\user. In the latter case the Kerberos realm is
"DOMAIN", and is canonicalized to a DNS realm name by the KDC.

In the Kerberos case, the profile path is retrieved from the
authorization data in the service ticket to the workstation. In the
downlevel case, it is retrieved from the interactive logon RPC. 

-- Luke

--