samba - Apr 2002 - NTLM authoriaztion & Samba (and other SMB-compatible) servers.

Hello samba,

  I'm writing NTLM module for SASL (to allow sendmail authorize
  Outlook and Outlook Express). Module is ready and works great. But
  it could now only check passwords by internal SASL database (I've
  written Type{1,2,3} packets parsing by myself).

  I want to add ability check passwords on any SMB server.

  How could I redirect auth. requests to such server, if I know IP of
  this server?

-- 
Best regards,
 Lev                          mailto:lev@serebryakov.spb.ru

Hello Tarjei,

Monday, April 08, 2002, 1:31:39 PM, you wrote:

TH> Hm. Do you use ldap? If so, you could have the sasl module check the
TH> ntpassword attribute on the ldap server through the sasl-ldap module
TH> written by simon. (see www.surf.org.uk)
TH> If not, wouldn't sasl w/ pam work?
  I don't know. I don't want to use PAM or LDAP -- I know many places
  without them.
TH> Also, are you using sasl 2.x or 1.5.x?
  1.5.x

-- 
Best regards,
 Lev                            mailto:lev@serebryakov.spb.ru

Lev Serebryakov wrote:
> 
> Hello samba,
> 
>   I'm writing NTLM module for SASL (to allow sendmail authorize
>   Outlook and Outlook Express). Module is ready and works great. But
>   it could now only check passwords by internal SASL database (I've
>   written Type{1,2,3} packets parsing by myself).
> 
>   I want to add ability check passwords on any SMB server.
> 
>   How could I redirect auth. requests to such server, if I know IP of
>   this server?
The best way (particuarly given the GPL nature of all open-source SMB
implementations on Unix) is to use winbindd.  Winbind has a command that
can allow you to specify both the challange and the response and to
forward these to a remote domain controller.

Unfortunetly the interface currently isn't very stable, but work is
progressing.

BTW, what is your NTLM module implemeting?  NTLMSSP?  I know of 3
existing implementations of this - we need to get these togeather if at
all possible - the current situation is just silly.

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet@pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet@samba.org
Student Network Administrator, Hawker College   abartlet@hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net

Hello Andrew,

Tuesday, April 09, 2002, 1:40:40 AM, you wrote:
>> BTW, could I use libsmbclient for cli_logon() and other functions?
>> I've looked at samba code, and understand, that forwarding of
pakcets
>> need RPC and IPC$ code, and it is huge amount of it.
AB> I'm not sure if the right stuff is exported, but in any case, as soon
as
AB> you link to Samba your project becomes subject to the GPL.
  It could be optional. And there is, libsmbclient WILL NOT BE PART OF
  MY PROJECT, only optional feature. I will not use CODE from this
  library. So, it is not so clear, will be my project GPL in this case
  or not. But in ANY case, this list is not a right place for such
  discussions.
>>   Samba-grabbed, I know. But I want BSD, so I wrote this by hands,
>>   using info from squid-realted doc.
AB> Is it?  Samba didn't have an easily grabbable NTLMSSP client when I
AB> first saw references to this in fetchmail
   Oh yes, it is my fault. It is `libntlm 0.21'


-- 
Best regards,
 Lev                            mailto:lev@serebryakov.spb.ru