Web lists-archives.com

Re: [Samba] Using ntlm_auth to get NTLMv2 Session support from an application




On Sat, 2017-04-22 at 17:45 -0400, pisymbol . wrote:
> 
> 
> On Sat, Apr 22, 2017 at 4:49 PM, Andrew Bartlett <abartlet@xxxxxxxxx>
> wrote:
> > On Sat, 2017-04-22 at 13:41 -0400, pisymbol . wrote:
> > >
> > 
> > > > Your task is fairly easy as the resulting HTTP session won't be
> > > > NTLMSSP
> > > > encrypted, just authenticated with NTLMSSP, so you don't need
> > to
> > > > involve Samba long-term, or get out encryption keys.
> > >
> > > Right, but clarification Andrew: What do you mean the resultant
> > > session won't be NTLMSSP encrypted? I thought that was the whole
> > > point of NTLMv2 session security.
> > 
> > Indeed, but the use on HTTP is dodgy, similar to SMBv1 without
> > signing
> > - the session is set up, but cleartext and not even authenticated
> > (eg
> > crypto checksum) after that.  Another good example is LDAP, which
> > allowed (until we turned it off by default in Samba) LDAP binds
> > without
> > the subsequent encryption.  
> > 
> > Sadly HTTP has no 'subsequent encryption' option that I'm aware of.
> > 
> 
> I would assume once the socket has been setup the davfs commands
> would go over the NTLMv2 encrypted session? Did I miss something
> here?

Yes, you missed that as DAV is essentially HTTP, there is no encrypted
session, except for possibly an SSL wrapper.

I suggest spending some 'quality time' with wireshark and see what you
are trying to imitate, perhaps I'm all out of date, but this is how I
understand the protocols. 

I hope this helps,

Andrew Bartlett
-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba