question regarding NTLM authentication

Andrew Bartlett abartlet at samba.org
Wed May 24 01:41:52 GMT 2006 

On Tue, 2006-05-23 at 15:48 -0700, Murali Bashyam wrote:
> On 5/23/06, Stefan (metze) Metzmacher <metze at samba.org> wrote:
> >
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Murali Bashyam schrieb:
> > > I am investigating  the samba4.0 code to see if it can act as a
> > > authentication proxy device sitting in the middle between a CIFS client
> > and
> > > server. It performs pass-through NTLM authentication with the CIFS
> > client (
> > > i.e samba machine as a server,
> >
> > I think we don't have pass-through auth working fully in samba4 yet.
> >
> > > talking to the NT domain controller), and
> > > next turning around acting on behalf of that logged in user as a client
> > > towards the actual CIFS server.
> > >
> > > Is there anyway to accomplish this in the samba4.0 code base? If so, can
> > > someone point me to the relevant code?
> >
> > you should look at ntvfs/cifs/
> >
> > it provides a file share and proxy requests to another server.
> > but there're some issues with multiple SMB session on one SMB tree
> > connect.
> 
> 
> 
> I understand the code in ntvfs/cifs from a filesystem point of view,
> i.ebeing able to do open/read/write/close CIFS operations and beyond.
> >From an
> authentication point of view, can we also proxy the negprot and session
> setups requests to another server in an async manner i.e make the samba
> machine transparent to the NTLM authentication.  I didn't see this kind of
> code in that directory, but maybe i missed something there.

No, there is not any NTLM authentication hook in there yet.  

> Alternatively, can we use the SAMLogon protocol (MS-RPC based) to obtain the
> NThash of the password of the logged in user, and then use that to
> participate in the NTLM challenge/response towards the actual server? We can
> assume that the machine running samba is a trusted machine in that domain
> etc.

You can't obtain the NT hash with SamLogon.  You can get it as a BDC
however, with SamSync.  It may be useful to get the user's session key
however, as that would allow a full MITM attack, including signing.

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20060524/8a0d7be2/attachment.bin

More information about the samba-technical mailing list