Question on ntlm_auth tool

Yimin Chen ymchen at
Mon Sep 13 22:13:03 GMT 2004

Hi Andrew,

I still have some doubt about the ntlm_auth tool, sorry for posting so 
many questions. Could you please clarify them for me?

1) I see ntlm_auth has option to specify the NT/LM responses to get user 
authenticated. But if we don't parse the handshakes, but just handover 
to ntlm_auth tool, we won't even know which user we are authenticating.

So we still need to do some parsing to get username, domain, type of 
message, etc, right? Or anything after "Proxy Authorization: NTLM " 
should be passed to ntlm_auth? I am a little confused.

2) When you say "blob", is the encoded string inside the authentication 
header you are referring to? Is there any document about NTLMSSP that I 
should read to understand it better? The only thing I found right now is 
from Microsoft site:

"NTLMSSP, whose authentication service identifier is RPC_C_AUTHN_WINNT, 
is a security support provider that is available on all versions of 
DCOM. It uses the Microsoft® Windows NT® LAN Manager (NTLM) protocol for 


Andrew Bartlett wrote:
> On Sat, 2004-09-11 at 03:09, Yimin Chen wrote:
>>Hi Andrew,
>>Thank you very much for your reply! I have some more questions inline :)
>>At 06:44 PM 9/10/2004 +1000, Andrew Bartlett wrote:
>>>On Fri, 2004-09-10 at 10:02, Yimin Chen wrote:
>>>>Hi Andrew,
>>>>Thank you very much for the suggestion. I wasn't aware at all that
>>>>winbind_request APIs are not for external use.
>>>>Now Looking at the ntlm_auth tool again, I have a few more questions:
>>>>1) What is the option to retrieve the challenge from the server? In the
>>>>NTLM authentication case, we need to pass the challenge back to client,
>>>>and then retrieve the NT LM responses from client response, and pass the
>>>>callenge as well as the NT LM responses to the ntlm_auth tool, right?
>>>>I must have missed something, but can't figure out.
>>>Are you doing NTLM or NTLMSSP?  What is the target protocol?  (MSCHAP?
>>[YM] It is HTTP ntlm authentication that we are trying to do. So I guess it 
>>is NTLMSSP/HTTP? What is the difference between NTLM/NTLMSSP? I had thought 
>>they are same.
> When I talk about these authentication protocols, I refer to any scheme
> that just passes 8 bytes of challenge, and 24/>=24 bytes of response as
> an NTLM client.  This is typical in CIFS, before 'extended security'. 
> MS would also calls this MSCHAP, because this exactly what they did for
> their PPP and VPN solution (gag!).
> NTLMSSP is the blob-based authentication scheme, where the client
> intiates the session with a much longer NTLMSSP 'Negotiate' packet,
> which any intermediate application does not need a parse.  The design of
> this protocol is such that NTLMSSP should be passed to the 'security
> engine' unmodified.  (ntlm_auth takes the role of SSPI, if you
> application was on Windows)
> You may have code, such as the apache 'mod_ntlm' or similar that parses
> this code.  This should not be used, in any way.  Instead, by passing
> the entire blob to Samba's ntlm_auth, it can parse it, and handle the
> whole process.  
> Then ntlm_auth generates the challenge internally, and wraps it up in an
> NTLMSSP challenge packet, and asks your application to return it to the
> client.   ntlm_auth then expects an NTLMSSP negotiate packet, which
> included details about usernames and passwords inline.
> At no stage should you ever need to base64 decode the NTLMSSP data from
> the client, as ntlm_auth expects it unmodified (and conveniently, it
> expects it in base64 :-).
>>>Fundamentally, ntlm_auth operates as a privileged client in the domain,
>>>and the challenge is either generated inside the helper, or supplied to
>>>it, depending on mode of operation.
>>[YM] I see. Could you please clarify for me whether my following 
>>understanding is correct?
>>So the client machine our proxy process running should first join the 
>>domain as a privileged client, and then the proxy process can generate the 
>>challenge ourselves every time we want to authenticate an HTTP client, and 
>>then pass the challenge/NT LM responses to the ntlm_auth binary to 
>>authenticate the user. Is this correct? Or ntlm_auth will itself join the 
>>domain automatically?
> Incorrect.
> You must use Samba tools to join Samba to the domain, and configure
> winbind to talk to the domain controller.  Then Samba's ntlm_auth can be
> asked to handle the entire NTLMSSP layer.  It will return a username,
> and as per our earlier conversation, could be asked to return a series
> of groups.
> Andrew Bartlett

More information about the samba-technical mailing list