Andrew Bartlett
2017-Apr-21 21:28 UTC
[Samba] Using ntlm_auth to get NTLMv2 Session support from an application
On Fri, 2017-04-21 at 14:12 -0700, Jeremy Allison via samba wrote:> On Wed, Apr 19, 2017 at 03:47:05PM -0400, pisymbol . wrote: > > On Wed, Apr 19, 2017 at 1:08 PM, Jeremy Allison <jra at samba.org> > > wrote: > > > > > > > Any insight, feedback into this issue would be much > > > > appreciated. > > > > > > The squid program does this. Maybe look into the code they > > > use for their integration ? > > > > > > http://wiki.squid-cache.org/ConfigExamples/Authenticate/Ntlm > > > > > > Jeremy, thanks! That's exactly what I was looking at. > > > > So here's a better question: Can you give me a brief technical > > explanation > > on how this exactly works with respect to establishing a session? > > The goal > > is basically to have mount.davfs first establish an NTLMv2 session > > (using > > 128-bit encryption) and then be able to access files through it > > using > > standard filesystem calls. > > Not quickly. Probably best to look into the squid code itself > and see how they drive it.Also look into Wine. Kai did something very similar there a long time ago. Your task is fairly easy as the resulting HTTP session won't be NTLMSSP encrypted, just authenticated with NTLMSSP, so you don't need to involve Samba long-term, or get out encryption keys. See the 'squid' helper modes, there is ntlmssp-client-1 that you should use. You can also play with NTLMSSP over mouse-buffer between that and the squid-2.5-ntlmssp server mode. Set --password on the server and it becomes standalone binary that does not need Samba running. I hope this helps, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
pisymbol .
2017-Apr-22 17:41 UTC
[Samba] Using ntlm_auth to get NTLMv2 Session support from an application
On Fri, Apr 21, 2017 at 5:28 PM, Andrew Bartlett <abartlet at samba.org> wrote:> On Fri, 2017-04-21 at 14:12 -0700, Jeremy Allison via samba wrote: > > Not quickly. Probably best to look into the squid code itself > > and see how they drive it. > > Also look into Wine. Kai did something very similar there a long time > ago. >I like red! Not so much white. Your task is fairly easy as the resulting HTTP session won't be NTLMSSP> encrypted, just authenticated with NTLMSSP, so you don't need to > involve Samba long-term, or get out encryption keys. >Right, but clarification Andrew: What do you mean the resultant session won't be NTLMSSP encrypted? I thought that was the whole point of NTLMv2 session security.> > See the 'squid' helper modes, there is ntlmssp-client-1 that you should > use. > >That's what I figured.> You can also play with NTLMSSP over mouse-buffer between that and the > squid-2.5-ntlmssp server mode. Set --password on the server and it > becomes standalone binary that does not need Samba running.It does, but I need to understand the flow better on how I can funnel mount davfs traffic through it (I thought originally this could be done using upcall but that doesn't make sense - I think). I do appreciate the feedback gentlemen. -aps
Andrew Bartlett
2017-Apr-22 20:49 UTC
[Samba] Using ntlm_auth to get NTLMv2 Session support from an application
On Sat, 2017-04-22 at 13:41 -0400, pisymbol . wrote:> > > On Fri, Apr 21, 2017 at 5:28 PM, Andrew Bartlett <abartlet at samba.org> > wrote: > > On Fri, 2017-04-21 at 14:12 -0700, Jeremy Allison via samba wrote: > > > Not quickly. Probably best to look into the squid code itself > > > and see how they drive it. > > > > Also look into Wine. Kai did something very similar there a long > > time > > ago. > > I like red! Not so much white.;-)> > Your task is fairly easy as the resulting HTTP session won't be > > NTLMSSP > > encrypted, just authenticated with NTLMSSP, so you don't need to > > involve Samba long-term, or get out encryption keys. > > Right, but clarification Andrew: What do you mean the resultant > session won't be NTLMSSP encrypted? I thought that was the whole > point of NTLMv2 session security.Indeed, but the use on HTTP is dodgy, similar to SMBv1 without signing - the session is set up, but cleartext and not even authenticated (eg crypto checksum) after that. Another good example is LDAP, which allowed (until we turned it off by default in Samba) LDAP binds without the subsequent encryption. Sadly HTTP has no 'subsequent encryption' option that I'm aware of.> > See the 'squid' helper modes, there is ntlmssp-client-1 that you > > should > > use. > > > > That's what I figured. > > > You can also play with NTLMSSP over mouse-buffer between that and > > the > > squid-2.5-ntlmssp server mode. Set --password on the server and it > > becomes standalone binary that does not need Samba running. > > It does, but I need to understand the flow better on how I can funnel > mount davfs traffic through it (I thought originally this could be > done using upcall but that doesn't make sense - I think).You pass only the NTLM headers via ntlm_auth, the rest you keep in the binary that makes the actual socket connection.> I do appreciate the feedback gentlemen.Thanks! Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
Seemingly Similar Threads
- Using ntlm_auth to get NTLMv2 Session support from an application
- Using ntlm_auth to get NTLMv2 Session support from an application
- Using ntlm_auth to get NTLMv2 Session support from an application
- Using ntlm_auth to get NTLMv2 Session support from an application
- Using ntlm_auth to get NTLMv2 Session support from an application