Web lists-archives.com

Re: [Samba] Using ntlm_auth to get NTLMv2 Session support from an application




On Sat, Apr 22, 2017 at 4:49 PM, Andrew Bartlett <abartlet@xxxxxxxxx> wrote:

> On Sat, 2017-04-22 at 13:41 -0400, pisymbol . wrote:
> >
>
> > > Your task is fairly easy as the resulting HTTP session won't be
> > > NTLMSSP
> > > encrypted, just authenticated with NTLMSSP, so you don't need to
> > > involve Samba long-term, or get out encryption keys.
> >
> > Right, but clarification Andrew: What do you mean the resultant
> > session won't be NTLMSSP encrypted? I thought that was the whole
> > point of NTLMv2 session security.
>
> Indeed, but the use on HTTP is dodgy, similar to SMBv1 without signing
> - the session is set up, but cleartext and not even authenticated (eg
> crypto checksum) after that.  Another good example is LDAP, which
> allowed (until we turned it off by default in Samba) LDAP binds without
> the subsequent encryption.
>
> Sadly HTTP has no 'subsequent encryption' option that I'm aware of.
>
>
I would assume once the socket has been setup the davfs commands would go
over the NTLMv2 encrypted session? Did I miss something here?

-aps
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba