pisymbol .
2017-Apr-19 15:03 UTC
[Samba] Using ntlm_auth to get NTLMv2 Session support from an application
Hello: As many of you already probably know, the neon library is the workhorse for davfs support. However, right now, the current version of libneon has very limited support for NTLM, particularly NTLMv2, both on the challenge/authentication side as well as handling NTLMv2 Session Security. There is a patch somewhere to add NTLMv2 authentication support natively but there is zero support for NTLMv2 session security. What this means is that if you try to mount a share using davfs and the server in question requires 128-bit session security, libneon fails to negotiate and the mount fails. I have at least one enterprise customer who relies on NTLMv2 exclusively (despite the fact the world has moved on to HTTPS). Is there a way to hook up the "ntlm_auth" utility to do the heavy lifting of authenticating/creating NTLMv2 sessions in order to mount using davfs? I realize I maybe barking up the wrong tree, but I am trying to come up with a way to leverage Samba's already robust support for Windows authentication without having to duplicate the effort within libneon and friends (I am not the maintainer but I do have an urgent desire to mount Sharepoint shares using davfs via NTLMv2 session security). Any insight, feedback into this issue would be much appreciated. Thanks! -aps PS Can anyone please explain to me why all the list mail's subjects are always prepended with [Samba]? (I manually added it to be in vogue)
Jeremy Allison
2017-Apr-19 17:08 UTC
[Samba] Using ntlm_auth to get NTLMv2 Session support from an application
On Wed, Apr 19, 2017 at 11:03:34AM -0400, pisymbol . via samba wrote:> Hello: > > As many of you already probably know, the neon library is the workhorse for > davfs support. > > However, right now, the current version of libneon has very limited support > for NTLM, particularly NTLMv2, both on the challenge/authentication side as > well as handling NTLMv2 Session Security. > > There is a patch somewhere to add NTLMv2 authentication support natively > but there is zero support for NTLMv2 session security. What this means is > that if you try to mount a share using davfs and the server in question > requires 128-bit session security, libneon fails to negotiate and the mount > fails. I have at least one enterprise customer who relies on NTLMv2 > exclusively (despite the fact the world has moved on to HTTPS). > > Is there a way to hook up the "ntlm_auth" utility to do the heavy lifting > of authenticating/creating NTLMv2 sessions in order to mount using davfs? > > I realize I maybe barking up the wrong tree, but I am trying to come up > with a way to leverage Samba's already robust support for Windows > authentication without having to duplicate the effort within libneon and > friends (I am not the maintainer but I do have an urgent desire to mount > Sharepoint shares using davfs via NTLMv2 session security). > > Any insight, feedback into this issue would be much appreciated.The squid program does this. Maybe look into the code they use for their integration ? http://wiki.squid-cache.org/ConfigExamples/Authenticate/Ntlm
pisymbol .
2017-Apr-19 19:47 UTC
[Samba] Using ntlm_auth to get NTLMv2 Session support from an application
On Wed, Apr 19, 2017 at 1:08 PM, Jeremy Allison <jra at samba.org> wrote:> > > Any insight, feedback into this issue would be much appreciated. > > The squid program does this. Maybe look into the code they > use for their integration ? > > http://wiki.squid-cache.org/ConfigExamples/Authenticate/NtlmJeremy, thanks! That's exactly what I was looking at. So here's a better question: Can you give me a brief technical explanation on how this exactly works with respect to establishing a session? The goal is basically to have mount.davfs first establish an NTLMv2 session (using 128-bit encryption) and then be able to access files through it using standard filesystem calls. The config example above is nice, but it doesn't really drill into how this all works. Btw, full NTLMv2 Session Security is supported with samba3+ right? -aps
Apparently Analagous Threads
- Using ntlm_auth to get NTLMv2 Session support from an application
- Using ntlm_auth to get NTLMv2 Session support from an application
- Using ntlm_auth to get NTLMv2 Session support from an application
- Using ntlm_auth to get NTLMv2 Session support from an application
- Using ntlm_auth to get NTLMv2 Session support from an application