question regarding NTLM authentication
mbcoder at gmail.com
Wed May 24 02:04:25 GMT 2006
On 5/23/06, Andrew Bartlett <abartlet at samba.org> wrote:
> On Tue, 2006-05-23 at 15:48 -0700, Murali Bashyam wrote:
> > On 5/23/06, Stefan (metze) Metzmacher <metze at samba.org> wrote:
> > >
> > > -----BEGIN PGP SIGNED MESSAGE-----
> > > Hash: SHA1
> > >
> > > Murali Bashyam schrieb:
> > > > I am investigating the samba4.0 code to see if it can act as a
> > > > authentication proxy device sitting in the middle between a CIFS
> > > and
> > > > server. It performs pass-through NTLM authentication with the CIFS
> > > client (
> > > > i.e samba machine as a server,
> > >
> > > I think we don't have pass-through auth working fully in samba4 yet.
> > >
> > > > talking to the NT domain controller), and
> > > > next turning around acting on behalf of that logged in user as a
> > > > towards the actual CIFS server.
> > > >
> > > > Is there anyway to accomplish this in the samba4.0 code base? If so,
> > > > someone point me to the relevant code?
> > >
> > > you should look at ntvfs/cifs/
> > >
> > > it provides a file share and proxy requests to another server.
> > > but there're some issues with multiple SMB session on one SMB tree
> > > connect.
> > I understand the code in ntvfs/cifs from a filesystem point of view,
> > i.ebeing able to do open/read/write/close CIFS operations and beyond.
> > >From an
> > authentication point of view, can we also proxy the negprot and session
> > setups requests to another server in an async manner i.e make the samba
> > machine transparent to the NTLM authentication. I didn't see this kind
> > code in that directory, but maybe i missed something there.
> No, there is not any NTLM authentication hook in there yet.
In that case, does it make sense for us to investigate this add it and
contribute it to the main source i.e does the approach sound feasible?
> Alternatively, can we use the SAMLogon protocol (MS-RPC based) to obtain
> > NThash of the password of the logged in user, and then use that to
> > participate in the NTLM challenge/response towards the actual server? We
> > assume that the machine running samba is a trusted machine in that
> > etc.
> You can't obtain the NT hash with SamLogon. You can get it as a BDC
> however, with SamSync. It may be useful to get the user's session key
> however, as that would allow a full MITM attack, including signing.
Okay, i'll look that up.
> Andrew Bartlett http://samba.org/~abartlet/
> Authentication Developer, Samba Team http://samba.org
> Student Network Administrator, Hawker College http://hawkerc.net
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v18.104.22.168 (GNU/Linux)
> -----END PGP SIGNATURE-----
More information about the samba-technical