Using Samba for HTTP-NTLM-authentication?

Richard Sharpe rsharpe at ns.aus.com
Fri Jul 12 11:20:09 GMT 2002


On Fri, 12 Jul 2002, Johann Hanne wrote:

> 
> Hi folks,
> 
> Short version:
> --------------
> Can anybody tell me if there are hooks in Samba that make it possible 
> to use it in conjunction with an apache module for HTTP-based 
> NTLM-authentication?
> 
> Long version:
> -------------
> Internet Explorer can authenticate against a Web-Server using the 
> so-called NTLM-authentication (see 
> http://www.innovation.ch/java/ntlm.html). Despite the fact that the method 
> is braindead, it is extremely useful for Intranets and seems to be 
> reliable.
> 
> The whole thing is based on the authentication used by any SMB client that 
> connects to a SMB server:
> - The client connects to the server
> - The server generates and sends some random bytes (challenge)
> - The client sends a hash generated from password and challenge

Do you have a trace of what the client actually sends.

There has been much discussion about this on this list and on 
#samba-technical and it may already be possible or close to possible using 
samba-head based code.
 
It sounds like the client is doing a Windows LOGON using the previously 
computed NT HASH generated when the user logged onto the client.

> What I need are hooks to:
> - Connect to the SMB-Server
> - Intercept the random bytes
> - Send the hash
> 
> The point is that a function that just checks a combination of 
> username+cleartext-password is not enough, as I don't have a 
> cleartext-password.
> 
> A thing that would be even more interesting is if there is a way to do the 
> authentication as a domain member, i.e. not by doing 
> try-and-error-connects but by using the appropriate protocol.
> 
> I know there is already an apache module called "mod_ntlm" at sourceforge 
> (and some extended versions). However, it is very unstable (apache 
> processes segfault quite often) and it uses SMB code "Copyright (C) 
> Richard Sharpe 1996". I'd really love to use some current code for it!

Sigh, yes, that code got away :-(

> I've already found the function domain_client_validate() in 
> domain_client_validate.c. However, this file seems to unused currently as 
> it isn't compiled by the makefile and i wasn't able to compile it manually 
> due to undefined symbols and conflicts with another function with the same 
> name.
> This one is defined in smbd/password.c and is probably used in smbd. Is it 
> possible to use the function without the smbd environment?
> 
> Any comments?
> 
> Cheers, Jonny <jonny at 1409.org>
> 
> 

-- 
Regards
-----
Richard Sharpe, rsharpe at ns.aus.com, rsharpe at samba.org, 
sharpe at ethereal.com





More information about the samba-technical mailing list