Web lists-archives.com

Re: [Samba] Using ntlm_auth to get NTLMv2 Session support from an application




On Fri, 2017-04-21 at 14:12 -0700, Jeremy Allison via samba wrote:
> On Wed, Apr 19, 2017 at 03:47:05PM -0400, pisymbol . wrote:
> > On Wed, Apr 19, 2017 at 1:08 PM, Jeremy Allison <jra@xxxxxxxxx>
> > wrote:
> > > 
> > > > Any insight, feedback into this issue would be much
> > > > appreciated.
> > > 
> > > The squid program does this. Maybe look into the code they
> > > use for their integration ?
> > > 
> > > http://wiki.squid-cache.org/ConfigExamples/Authenticate/Ntlm
> > 
> > 
> > Jeremy, thanks! That's exactly what I was looking at.
> > 
> > So here's a better question: Can you give me a brief technical
> > explanation
> > on how this exactly works with respect to establishing a session?
> > The goal
> > is basically to have mount.davfs first establish an NTLMv2 session
> > (using
> > 128-bit encryption) and then be able to access files through it
> > using
> > standard filesystem calls.
> 
> Not quickly. Probably best to look into the squid code itself
> and see how they drive it.

Also look into Wine.  Kai did something very similar there a long time
ago.

Your task is fairly easy as the resulting HTTP session won't be NTLMSSP
encrypted, just authenticated with NTLMSSP, so you don't need to
involve Samba long-term, or get out encryption keys. 

See the 'squid' helper modes, there is ntlmssp-client-1 that you should
use.

You can also play with NTLMSSP over mouse-buffer between that and the
squid-2.5-ntlmssp server mode.  Set --password on the server and it
becomes standalone binary that does not need Samba running.

I hope this helps,

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba