>The Windows client workstation is joined to a DOMAIN. It shares a >secret with the Domain Controllers. When the machine boots it looks >for the Domain Controllers and does machine startup things. > >When a user logs in with the name DOMAIN\user, it goes to the domain >and obtains the account info. > >When a user logs in with the name [EMAIL PROTECTED], it goes to the domain >to see if this name is mapped to a Domain account. > >It does this via RPCs.
This isn't entirely correct. The workstation does use RPC to determine the nature of the domains trusted by the workstation (directly or otherwise). It does this whenever it reopens the secure channel to the domain controller. It will always attempt a Kerberos logon unless the domain is downlevel or the KDC cannot be reached, regardless of whether you logon with as [EMAIL PROTECTED] or DOMAIN\user. In the latter case the Kerberos realm is "DOMAIN", and is canonicalized to a DNS realm name by the KDC. In the Kerberos case, the profile path is retrieved from the authorization data in the service ticket to the workstation. In the downlevel case, it is retrieved from the interactive logon RPC. -- Luke -- _______________________________________________ OpenAFS-devel mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-devel
