Using Samba for HTTP-NTLM-authentication?
Richard Sharpe
rsharpe at ns.aus.com
Fri Jul 12 11:20:09 GMT 2002
On Fri, 12 Jul 2002, Johann Hanne wrote:
>
> Hi folks,
>
> Short version:
> --------------
> Can anybody tell me if there are hooks in Samba that make it possible
> to use it in conjunction with an apache module for HTTP-based
> NTLM-authentication?
>
> Long version:
> -------------
> Internet Explorer can authenticate against a Web-Server using the
> so-called NTLM-authentication (see
> http://www.innovation.ch/java/ntlm.html). Despite the fact that the method
> is braindead, it is extremely useful for Intranets and seems to be
> reliable.
>
> The whole thing is based on the authentication used by any SMB client that
> connects to a SMB server:
> - The client connects to the server
> - The server generates and sends some random bytes (challenge)
> - The client sends a hash generated from password and challenge
Do you have a trace of what the client actually sends.
There has been much discussion about this on this list and on
#samba-technical and it may already be possible or close to possible using
samba-head based code.
It sounds like the client is doing a Windows LOGON using the previously
computed NT HASH generated when the user logged onto the client.
> What I need are hooks to:
> - Connect to the SMB-Server
> - Intercept the random bytes
> - Send the hash
>
> The point is that a function that just checks a combination of
> username+cleartext-password is not enough, as I don't have a
> cleartext-password.
>
> A thing that would be even more interesting is if there is a way to do the
> authentication as a domain member, i.e. not by doing
> try-and-error-connects but by using the appropriate protocol.
>
> I know there is already an apache module called "mod_ntlm" at sourceforge
> (and some extended versions). However, it is very unstable (apache
> processes segfault quite often) and it uses SMB code "Copyright (C)
> Richard Sharpe 1996". I'd really love to use some current code for it!
Sigh, yes, that code got away :-(
> I've already found the function domain_client_validate() in
> domain_client_validate.c. However, this file seems to unused currently as
> it isn't compiled by the makefile and i wasn't able to compile it manually
> due to undefined symbols and conflicts with another function with the same
> name.
> This one is defined in smbd/password.c and is probably used in smbd. Is it
> possible to use the function without the smbd environment?
>
> Any comments?
>
> Cheers, Jonny <jonny at 1409.org>
>
>
--
Regards
-----
Richard Sharpe, rsharpe at ns.aus.com, rsharpe at samba.org,
sharpe at ethereal.com
More information about the samba-technical
mailing list