samba - Apr 2017 - Using ntlm_auth to get NTLMv2 Session support from an application

On Wed, Apr 19, 2017 at 1:08 PM, Jeremy Allison <jra at samba.org>
wrote:
>
> > Any insight, feedback into this issue would be much appreciated.
>
> The squid program does this. Maybe look into the code they
> use for their integration ?
>
> http://wiki.squid-cache.org/ConfigExamples/Authenticate/Ntlm

Jeremy, thanks! That's exactly what I was looking at.

So here's a better question: Can you give me a brief technical explanation
on how this exactly works with respect to establishing a session? The goal
is basically to have mount.davfs first establish an NTLMv2 session (using
128-bit encryption) and then be able to access files through it using
standard filesystem calls.

The config example above is nice, but it doesn't really drill into how this
all works.

Btw, full NTLMv2 Session Security is supported with samba3+ right?

-aps

On Wed, Apr 19, 2017 at 03:47:05PM -0400, pisymbol .
wrote:
> On Wed, Apr 19, 2017 at 1:08 PM, Jeremy Allison <jra at samba.org>
wrote:
> >
> > > Any insight, feedback into this issue would be much appreciated.
> >
> > The squid program does this. Maybe look into the code they
> > use for their integration ?
> >
> > http://wiki.squid-cache.org/ConfigExamples/Authenticate/Ntlm
> 
> 
> Jeremy, thanks! That's exactly what I was looking at.
> 
> So here's a better question: Can you give me a brief technical
explanation
> on how this exactly works with respect to establishing a session? The goal
> is basically to have mount.davfs first establish an NTLMv2 session (using
> 128-bit encryption) and then be able to access files through it using
> standard filesystem calls.
Not quickly. Probably best to look into the squid code itself
and see how they drive it.
> Btw, full NTLMv2 Session Security is supported with samba3+ right?
Yes.

On Fri, 2017-04-21 at 14:12 -0700, Jeremy Allison via samba
wrote:
> On Wed, Apr 19, 2017 at 03:47:05PM -0400, pisymbol . wrote:
> > On Wed, Apr 19, 2017 at 1:08 PM, Jeremy Allison <jra at
samba.org>
> > wrote:
> > > 
> > > > Any insight, feedback into this issue would be much
> > > > appreciated.
> > > 
> > > The squid program does this. Maybe look into the code they
> > > use for their integration ?
> > > 
> > > http://wiki.squid-cache.org/ConfigExamples/Authenticate/Ntlm
> > 
> > 
> > Jeremy, thanks! That's exactly what I was looking at.
> > 
> > So here's a better question: Can you give me a brief technical
> > explanation
> > on how this exactly works with respect to establishing a session?
> > The goal
> > is basically to have mount.davfs first establish an NTLMv2 session
> > (using
> > 128-bit encryption) and then be able to access files through it
> > using
> > standard filesystem calls.
> 
> Not quickly. Probably best to look into the squid code itself
> and see how they drive it.
Also look into Wine.  Kai did something very similar there a long time
ago.

Your task is fairly easy as the resulting HTTP session won't be NTLMSSP
encrypted, just authenticated with NTLMSSP, so you don't need to
involve Samba long-term, or get out encryption keys. 

See the 'squid' helper modes, there is ntlmssp-client-1 that you should
use.

You can also play with NTLMSSP over mouse-buffer between that and the
squid-2.5-ntlmssp server mode.  Set --password on the server and it
becomes standalone binary that does not need Samba running.

I hope this helps,

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba