Using Samba for HTTP-NTLM-authentication?

Tim Potter tpot at
Fri Jul 12 11:56:31 GMT 2002

On Sat, Jul 13, 2002 at 04:47:17AM +0930, Richard Sharpe wrote:

> > The whole thing is based on the authentication used by any SMB client that 
> > connects to a SMB server:
> > - The client connects to the server
> > - The server generates and sends some random bytes (challenge)
> > - The client sends a hash generated from password and challenge
> Do you have a trace of what the client actually sends.

It's actually NTLMSSP base-64 encoded in http headers.

> There has been much discussion about this on this list and on 
> #samba-technical and it may already be possible or close to possible using 
> samba-head based code.

There is a mod_ntlm_winbind the basis of which is used in squid for its
NTLMSSP support.  The mod_ntlm_winbind project is currently unmaintained
and broken.

Basically there are hooks in winbindd (through the AUTH_CRAP command) to
authenticate using a challenge and nt/lm responses.

> It sounds like the client is doing a Windows LOGON using the previously 
> computed NT HASH generated when the user logged onto the client.

Nope.  There's a challenge sent by either the server and then the client 
produces a LM and NT response which is a hash of the challenge and the 
user's password.  This is sent to the server (in this case winbindd) for

> > I know there is already an apache module called "mod_ntlm" at sourceforge 
> > (and some extended versions). However, it is very unstable (apache 
> > processes segfault quite often) and it uses SMB code "Copyright (C) 
> > Richard Sharpe 1996". I'd really love to use some current code for it!
> Sigh, yes, that code got away :-(

Whoop whoop - GPL violation.  (-:  The neat thing about mod_ntlm_winbind
is that it doesn't violate the GPL.

> > I've already found the function domain_client_validate() in 
> > domain_client_validate.c. However, this file seems to unused currently as 
> > it isn't compiled by the makefile and i wasn't able to compile it manually 
> > due to undefined symbols and conflicts with another function with the same 
> > name.
> > This one is defined in smbd/password.c and is probably used in smbd. Is it 
> > possible to use the function without the smbd environment?

This way lies madness.  There are too many dependencies in Samba to take
any useful part of it out to use separately.


More information about the samba-technical mailing list