No announcement yet.

remote share login to win2k3 (and SetBlanket)

  • Filter
  • Time
  • Show
Clear All
new posts

  • remote share login to win2k3 (and SetBlanket)


    Can someone tell me that this is normal...
    So I have share on a windows server 2003, and is a Active Directory (i.e DoCon)

    But, if I browse to the share from e.g. Win XP; logging box appears, (as I am not logged into a AD account and/or not in the domain).

    So for the username I type
    DoCon\username, it works.
    username, it works
    Other\username, it works.

    If logging in from a unknown domain, 'Other\username' shouldn't this fail? as you're not logging into the DoCon domain?

    So apparently it just ignores the domain information and throws it away and only requires the username.

    I have searched something, NTLMSSP, and somewhere in the doc i found, it mentions
    "If there is no trust relationship between the client and server" (this same as NOT being in the domain?/not on the same network); then mentions "if the server has a local account with the same name and password as the client, that account will be sed to represent the client."
    Im assuming, "local account" also means a AD account too?

    As we're running Samba servers on linux machines, the above doesn't happen, and 'Other\username' will NOT work, but only thing that works is DoCon\username, which seems to be more secured? or does it really matter?

    To make make life easlier, I like to disable that setting on Samba (but I have no experience with Samba, and I am not the sysadmin of it, but tried to find some information about it but failed) so it allows any domain\username
    (this is basically because of a stupid "Managed" XP' desktop. Which doesn't have "map network drives" option, and no persistent, and also on other network, not in the domain. So it's a bit pain for the girls to use any resources, and everytime they restart, they need to do the net use command every single time. that is because samba throws away 'other\username')

    Also If I am thinking on improving (NOT at this point) the login on the DoCon AD, what would I need to do to change the setting so it most require DoCon\username when logging, and would deny any other 'Other\username' due to wrong domain server which does requre the actual domain name 'DoCon'...

    But I have found something IClientSecurity::SetBlanket, but I have no clue about it, or how to use the COM security protocols/access/utilities? but is it recommended to do so?
    even though I like to disable 'domain requirement' on the Samba/Linux server... which I have no idea where and how to do that... anyone with samba experience?

    hopefully understanding, helpful etc,