Using Samba for HTTP-NTLM-authentication?
Richard Sharpe
rsharpe at ns.aus.com
Fri Jul 12 13:02:20 GMT 2002
On Fri, 12 Jul 2002, Tim Potter wrote:
> On Sat, Jul 13, 2002 at 04:47:17AM +0930, Richard Sharpe wrote:
>
> It's actually NTLMSSP base-64 encoded in http headers.
>
> > There has been much discussion about this on this list and on
> > #samba-technical and it may already be possible or close to possible using
> > samba-head based code.
>
> There is a mod_ntlm_winbind the basis of which is used in squid for its
> NTLMSSP support. The mod_ntlm_winbind project is currently unmaintained
> and broken.
>
> Basically there are hooks in winbindd (through the AUTH_CRAP command) to
> authenticate using a challenge and nt/lm responses.
>
> > It sounds like the client is doing a Windows LOGON using the previously
> > computed NT HASH generated when the user logged onto the client.
>
> Nope. There's a challenge sent by either the server and then the client
> produces a LM and NT response which is a hash of the challenge and the
> user's password. This is sent to the server (in this case winbindd) for
> authentication.
But the server does not have the user's password, only the NT or LM hash
of the user's password, so what I think you are saying is that the
respose if formed by hashing the challenge with the user's password hash?
Regards
-----
Richard Sharpe, rsharpe at ns.aus.com, rsharpe at samba.org,
sharpe at ethereal.com
More information about the samba-technical
mailing list