using the Samba client library for NTLM authentication

Andrew Bartlett abartlet at samba.org
Wed Oct 1 07:02:37 GMT 2003 

On Wed, 2003-10-01 at 16:36, aspa at kronodoc.fi wrote:
> hi
> 
> i'm interested in using the Samba v3.0 client library for implementing
> automatic logon for a web application for Windows network authenticated
> MS IE users (NTLM-over-HTTP). the required API should make it possible
> to negotiate authentication parameters (+get challenge) and authenticate
> a user in separate phases. the NTLM library i've tested so far seems to
> require that the same operating system process executes both phases of
> the authentication protocol. 

This is pretty standard.  The same TCP/IP socket must be used, so
allowing for different processes to handle it would just be overkill.

> in effect this means that i can only use
> one authentication process. i'd like to be able to increase
> authentication concurrency if possible. can i use the Samba libraries
> for this? can anyone give any pointers to relevant documentation or code
> examples?

The program/interface you are after is 'ntlm_auth'.  I've recently
updated the documentation, and am meant to be writing a 'programmers
guide' at some point.

The basic idea is that you run in with the
--helper-protocol=squid-2.5-ntlmssp option.  It talks to winbind, and
winbind handles the authentication for you.

You are required to keep the same TCP/IP session open for the duration
of the authenticated session (including the authentication), and you are
required to keep the same helper process alive for that period too.  

We are looking at an extension to the helper protocol for multiple
outstanding NTLMSSP authentication challenges, without multiple helpers.

> the Windows workstations run NT4 and XP, and the authentication server
> is a Windows 2000 AD server in my case.

Hooking winbindd up against this should not be a problem.

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20031001/a0208706/attachment.bin

More information about the samba-technical mailing list