Samba4: ntlm_auth questions

Andrew Bartlett abartlet at
Tue Mar 28 22:31:51 GMT 2006

On Tue, 2006-03-28 at 16:52 +0200, Kai Blin wrote:
> Hi folks,
> I'm currently investigating using the samba 4 gensec code to encrypt
> messages using NTLM. It looks like source/auth/ntlmssp/ntlmssp_sign.c
> has some functionality to do this, but this is not exposed by the
> ntlm_auth tool, which I am currently using to provide NTLM
> authentication for wine.

Correct.  I've considered possible extensions to this, but they get
unwieldy fast.

> I'm not sure if ntlm_auth is the right place to put that functionality,
> but Andrew Bartlett said that he would like to keep GENSEC internals
> internal, so I guess spinning this out of the current code into an extra
> lib is not an option. 

Actually, on the contrary:  Jelmer's recent work on the build system has
spun GENSEC out into a seperate library, with installed headers and the
full ball of wax...

Now, it's GPL licenced for now, but my policy on re-licencing still
applies:  To the extent that I own the copyright, if another free
software project needs the code, and the last and only barrier is the
licence, I will seriously consider an LGPL licence. 

The problem is the code I don't own, and GENSEC currently has tentacles
into plenty of other parts of Samba's code. 

I'm not sure how stable the GENSEC interface is:  But I've not changed
too many of the primitive operations recently.  We also need to look at
what code 

> Maybe we could create a seperate tool for things
> like this.

I don't really like that idea.  I would consider adding 'encrypt' and
'decrypt' commands to ntlm_auth, or allowing the session keys to be
extracted.  (We could then just have the sign/seal code duplicated).

But I think the library idea has merit.  Perhaps give it a whirl (as a
proof of concept), and see how it goes?

Andrew Bartlett

Andrew Bartlett                      
Authentication Developer, Samba Team 
Student Network Administrator, Hawker College
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: This is a digitally signed message part
Url :

More information about the samba-technical mailing list