samba - May 2016 - Using ntlm_auth with a non-Squid application

Hello

my goal is to write an authentication module for the Symfony php framework,
which would provide SSO capabilities to browsers that are logged in an MS AD
domain
and support the NTLMv2 protocol. Ideally this module would run on linux servers,
and be portable, i.e. require as few non-php tools and network/firewall
settings as possible (that's why I eschewed the existing Apache modules
which do Kerberos)

So far I have working code which can generate, send, receive and decode the
NTLMv2 messages. The only catch is that I cannot easily verify the autentication
messages sent by the browser in response to the challenge messages that my app
has sent, as the app does not have access to the user database, which is only
stored in the AD. The app can access the AD via secure LDAP, but that does not
seem to help with the NTLM hashes (the app never stores user passwords locally).

I thought that the ntlm_auth tool for Samba might be used in this scenario, as
it seems to have been developed to do exactly the same for Squid.

I played around with it a little bit, but so fare have not managed to get it
working, hence my questions to the list:

1. would you recommend just abandoning this path and favour other auth
protocols/tools, because of known blockers (apart from ntlm not being considered
very
secure any more) ?

2. can the ntlm_auth command verify the authentication for a given user if my
app provides to it the username, challenge, and browser response to that
challenge? Or is it mandatory to let ntlm_auth generate the challenge by itself?

3. if the answer to 2) is yes, what are the command line parameters needed for
such an interaction?

4. if the answer to 2) is no, is the best way to integrate it to use the
"squid-2.5-ntlmssp" protocol?


What I have working so far:

- samba 4.2.10 (from Debian jessie package) joined to a MS AD domain (windows
server 2012)

- /ntlm_auth --username=ggiunta/ (and password given when asked) => ok

- /ntlm_auth --helper-protocol=ntlmssp-client-1/ => ok

- /ntlm_auth --helper-protocol=squid-2.5-basic/ => _ko_

- /ntlm_auth --username=ggiunta --challenge=68656c6c6f313233 --nt-response=.../
=> _ko_


Any help is appreciated_
_

Gaetano_
_

Hi Gaetano,

Good plan, I'd be very interested in your work as I am starting to look at
symfony here, also!

I do have ntlm_auth working perfectly using Samba 4 (and with badlock
patches). I use it with freeradius, not squid. An extract from my
/etc/raddb/modules/mschap, if it helps:
ntlm_auth = "/usr/local/samba/bin/ntlm_auth --request-nt-key
--username=%{%{mschap:User-Name}:-%{%{User-Name}:-None}}
--domain=%{%{mschap:NT-Domain}:-MYDOMAIN}
--challenge=%{%{mschap:Challenge}:-00}
--nt-response=%{%{mschap:NT-Response}:-00}"

You might get some inspiration from the freeradius ntlm_auth guides; or I'm
happy to share other parts of my config if that helps, too.

Cheers,

Jonathan


On 31 May 2016 at 15:38, Gaetano Giunta <giunta.gaetano at gmail.com>
wrote:
> Hello
>
> my goal is to write an authentication module for the Symfony php
> framework, which would provide SSO capabilities to browsers that are logged
> in an MS AD domain
> and support the NTLMv2 protocol. Ideally this module would run on linux
> servers, and be portable, i.e. require as few non-php tools and
> network/firewall
> settings as possible (that's why I eschewed the existing Apache modules
> which do Kerberos)
>
> So far I have working code which can generate, send, receive and decode
> the NTLMv2 messages. The only catch is that I cannot easily verify the
> autentication
> messages sent by the browser in response to the challenge messages that my
> app has sent, as the app does not have access to the user database, which
> is only
> stored in the AD. The app can access the AD via secure LDAP, but that does
> not seem to help with the NTLM hashes (the app never stores user passwords
> locally).
>
> I thought that the ntlm_auth tool for Samba might be used in this
> scenario, as it seems to have been developed to do exactly the same for
> Squid.
>
> I played around with it a little bit, but so fare have not managed to get
> it working, hence my questions to the list:
>
> 1. would you recommend just abandoning this path and favour other auth
> protocols/tools, because of known blockers (apart from ntlm not being
> considered very
> secure any more) ?
>
> 2. can the ntlm_auth command verify the authentication for a given user if
> my app provides to it the username, challenge, and browser response to that
> challenge? Or is it mandatory to let ntlm_auth generate the challenge by
> itself?
>
> 3. if the answer to 2) is yes, what are the command line parameters needed
> for such an interaction?
>
> 4. if the answer to 2) is no, is the best way to integrate it to use the
> "squid-2.5-ntlmssp" protocol?
>
>
> What I have working so far:
>
> - samba 4.2.10 (from Debian jessie package) joined to a MS AD domain
> (windows server 2012)
>
> - /ntlm_auth --username=ggiunta/ (and password given when asked) => ok
>
> - /ntlm_auth --helper-protocol=ntlmssp-client-1/ => ok
>
> - /ntlm_auth --helper-protocol=squid-2.5-basic/ => _ko_
>
> - /ntlm_auth --username=ggiunta --challenge=68656c6c6f313233
> --nt-response=.../ => _ko_
>
>
> Any help is appreciated_
> _
>
> Gaetano_
> _
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


-- 
"If we knew what it was we were doing, it would not be called research,
would it?"
      - Albert Einstein

On Tue, 2016-05-31 at 15:38 +0100, Gaetano Giunta wrote:
> Hello
> 
> my goal is to write an authentication module for the Symfony php
> framework, which would provide SSO capabilities to browsers that are
> logged in an MS AD domain
> and support the NTLMv2 protocol. Ideally this module would run on
> linux servers, and be portable, i.e. require as few non-php tools and
> network/firewall
> settings as possible (that's why I eschewed the existing Apache
> modules which do Kerberos)
I would strongly suggest you re-visit that assumption.  You should
either use mod_auth_krb, or mod_auth_ntlm_winbindd, rather than try and
handle the headers in a PHP app. 
> So far I have working code which can generate, send, receive and
> decode the NTLMv2 messages. The only catch is that I cannot easily
> verify the autentication
> messages sent by the browser in response to the challenge messages
> that my app has sent, as the app does not have access to the user
> database, which is only
> stored in the AD. The app can access the AD via secure LDAP, but that
> does not seem to help with the NTLM hashes (the app never stores user
> passwords locally).
As you have probably figured out, you need to use the secure netlogon
protocol to verify NTLM authentication.
> I thought that the ntlm_auth tool for Samba might be used in this
> scenario, as it seems to have been developed to do exactly the same
> for Squid.
> 
> I played around with it a little bit, but so fare have not managed to
> get it working, hence my questions to the list:
> 
> 1. would you recommend just abandoning this path and favour other
> auth protocols/tools, because of known blockers (apart from ntlm not
> being considered very
> secure any more) ?
Yes.
> 2. can the ntlm_auth command verify the authentication for a given
> user if my app provides to it the username, challenge, and browser
> response to that
> challenge? Or is it mandatory to let ntlm_auth generate the challenge
> by itself?
You should not decode the NTLM response, just use the squid-2.5-ntlmssp
helper mode and feed it the whole NTLMSSP blob.  But don't do it in
PHP, let mod_auth_ntlm_winbind do it for you, as it can hold the TCP
socket open properly.
> 3. if the answer to 2) is yes, what are the command line parameters
> needed for such an interaction?
> 
> 4. if the answer to 2) is no, is the best way to integrate it to use
> the "squid-2.5-ntlmssp" protocol?
> 
> 
> What I have working so far:
> 
> - samba 4.2.10 (from Debian jessie package) joined to a MS AD domain
> (windows server 2012)
> 
> - /ntlm_auth --username=ggiunta/ (and password given when asked) =>
> ok
> 
> - /ntlm_auth --helper-protocol=ntlmssp-client-1/ => ok
> 
> - /ntlm_auth --helper-protocol=squid-2.5-basic/ => _ko_
> 
> - /ntlm_auth --username=ggiunta --challenge=68656c6c6f313233 --nt
> -response=.../ => _ko_
Don't use this mode for what you are doing.

Andrew Bartlett
-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

On Tue, 2016-05-31 at 21:36 +0100, Jonathan Hunter
wrote:
> Hi Gaetano,
> 
> Good plan, I'd be very interested in your work as I am starting to
> look at
> symfony here, also!
> 
> I do have ntlm_auth working perfectly using Samba 4 (and with badlock
> patches). I use it with freeradius, not squid. An extract from my
> /etc/raddb/modules/mschap, if it helps:
> ntlm_auth = "/usr/local/samba/bin/ntlm_auth --request-nt-key
> --username=%{%{mschap:User-Name}:-%{%{User-Name}:-None}}
> --domain=%{%{mschap:NT-Domain}:-MYDOMAIN}
> --challenge=%{%{mschap:Challenge}:-00}
> --nt-response=%{%{mschap:NT-Response}:-00}"
> 
> You might get some inspiration from the freeradius ntlm_auth guides;
> or I'm
> happy to share other parts of my config if that helps, too.
I'm glad to hear that the FreeRADIUS use of ntlm_auth continues well. 
 There is also a stdio based method that could be used for that, ntlm
-server-1.  In any case, the difference between FreeRADIUS and a HTTP
server is that FreeRADIUS is pure NTLM (pretending to be MSCHAPv2),
while HTTP is the wrapped NTLMSSP, which it is better to let Samba
parse, for security reasons.

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba