using the Samba client library for NTLM authentication

Andrew Bartlett abartlet at
Wed Oct 1 07:02:37 GMT 2003

On Wed, 2003-10-01 at 16:36, aspa at wrote:
> hi
> i'm interested in using the Samba v3.0 client library for implementing
> automatic logon for a web application for Windows network authenticated
> MS IE users (NTLM-over-HTTP). the required API should make it possible
> to negotiate authentication parameters (+get challenge) and authenticate
> a user in separate phases. the NTLM library i've tested so far seems to
> require that the same operating system process executes both phases of
> the authentication protocol. 

This is pretty standard.  The same TCP/IP socket must be used, so
allowing for different processes to handle it would just be overkill.

> in effect this means that i can only use
> one authentication process. i'd like to be able to increase
> authentication concurrency if possible. can i use the Samba libraries
> for this? can anyone give any pointers to relevant documentation or code
> examples?

The program/interface you are after is 'ntlm_auth'.  I've recently
updated the documentation, and am meant to be writing a 'programmers
guide' at some point.

The basic idea is that you run in with the
--helper-protocol=squid-2.5-ntlmssp option.  It talks to winbind, and
winbind handles the authentication for you.

You are required to keep the same TCP/IP session open for the duration
of the authenticated session (including the authentication), and you are
required to keep the same helper process alive for that period too.  

We are looking at an extension to the helper protocol for multiple
outstanding NTLMSSP authentication challenges, without multiple helpers.

> the Windows workstations run NT4 and XP, and the authentication server
> is a Windows 2000 AD server in my case.

Hooking winbindd up against this should not be a problem.

Andrew Bartlett

Andrew Bartlett                                 abartlet at
Manager, Authentication Subsystems, Samba Team  abartlet at
Student Network Administrator, Hawker College   abartlet at
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :

More information about the samba-technical mailing list