samba - Oct 2004 - automatically authenticate domain logged-on users in apache with AD/NTDOM?

Hi!

I don't use MS products at all, so I have very little knowledge with them, 
but I believe Microsoft has as protocol where Internet Explorer can 
automatically authenticate against an IIS server, and given that the server 
and client are on the same NT domain, and the client user is logged in to 
that domain, the user is automatically logged in without the need to give 
away the password one more time to the webserver.

What is happening between the web server & the web client? Is the protocol 
open or reverse engineered? Can this authentication be done using apache @ 
unix (perhaps by apache interacting with samba somehow)?

Any ideas or links to more info about this would be much appreciated. 
Thanks!

/Palle

> I don't use MS products at all, so I have very little knowledge with
them,
> but I believe Microsoft has as protocol where Internet Explorer can 
> automatically authenticate against an IIS server, and given that the server
> and client are on the same NT domain, and the client user is logged in to 
> that domain, the user is automatically logged in without the need to give 
> away the password one more time to the webserver.
You're talking about NTLM.
 
> What is happening between the web server & the web client? Is the
protocol
> open or reverse engineered? Can this authentication be done using apache @ 
> unix (perhaps by apache interacting with samba somehow)?
On the server side - yes, even current versions of SASL support NTLM.
> Any ideas or links to more info about this would be much appreciated. 
On the UNIX/LINUX client side I think your stuck;  nothing I've found
supports
it.  If you in an AD domain or Kerberos environment you can probably do the
same thing with GSSAPI.

On Friday 22 October 2004 10:49, Palle Girgensohn wrote:
> Hi!
>
> I don't use MS products at all, so I have very little knowledge with
them,
> but I believe Microsoft has as protocol where Internet Explorer can
> automatically authenticate against an IIS server, and given that the server
> and client are on the same NT domain, and the client user is logged in to
> that domain, the user is automatically logged in without the need to give
> away the password one more time to the webserver.
Squid + ntlm-auth can handle the SPNEGO protocol. If you want this from Apache 
you should check out www.vintela.com.

-- John T.
>
> What is happening between the web server & the web client? Is the
protocol
> open or reverse engineered? Can this authentication be done using apache @
> unix (perhaps by apache interacting with samba somehow)?
>
> Any ideas or links to more info about this would be much appreciated.
> Thanks!
>
> /Palle
-- 
John H Terpstra
Samba-Team Member
Phone: +1 (650) 580-8668

Author:
The Official Samba-3 HOWTO & Reference Guide, ISBN: 0131453556
Samba-3 by Example, ISBN: 0131472216
Hardening Linux, ISBN: 0072254971
OpenLDAP by Example, ISBN: 0131488732
Other books in production.