Question on ntlm_auth tool

Yimin Chen ymchen at
Fri Sep 10 00:02:54 GMT 2004

Hi Andrew,

Thank you very much for the suggestion. I wasn't aware at all that 
winbind_request APIs are not for external use.

Now Looking at the ntlm_auth tool again, I have a few more questions:

1) What is the option to retrieve the challenge from the server? In the 
NTLM authentication case, we need to pass the challenge back to client, 
and then retrieve the NT LM responses from client response, and pass the 
callenge as well as the NT LM responses to the ntlm_auth tool, right?

I must have missed something, but can't figure out.

2) Is there a dynamic library API instead of binary calls of ntlm_auth 
that we can use to achieve the ntlm authentication? Invoking API calls 
could have lower overhead than binary calls.


Andrew Bartlett wrote:
> On Fri, 2004-09-10 at 09:05, Yimin Chen wrote:
>>Hi Andrew,
>>Thanks for the clarification! 
>>I was trying to evaluate which API I can use to do NTLM authentication
>>and group authorization. ntlm_auth was the first one I was looking at,
>>since it is the one squid uses. Since this protocol doesn't exist
>>today, I can still use:
>> winbindd_request(WINBINDD_GETGROUPS, &request, &response) to manually
>>retrieve the group sids, right? 
>>Is there an API that I can use to retrieve a list of group names
>>instead of group sids, given username?
> I would strongly suggest you *don't* call winbindd directly.  Firstly,
> the getgroups is not an ideal call, due to posix conversions that occour
> (if you want to match with windows groups, there are more points of
> failure if you must first convert to posix uid/gid form).  
> But more seriously, the winbindd pipe interface changes, this is why I
> added ntlm_auth - it was driving the squid team batty :-)
> Work with me to add the extensions we require to ntlm_auth, and use
> that.
> Andrew Bartlett

More information about the samba-technical mailing list