Change in ntlm_auth response

Milan Crha mcrha at redhat.com
Wed Apr 20 12:39:05 UTC 2016 

	Hello,
I'd like to ask for a pointer to a documentation about the
"communication protocol" with the ntlm_auth binary.

The thing is that since the latest security samba update the ntlm_auth
binary changed behaviour, which uncovered a bug in libsoup [1]. Even
with a patched libsoup some parts can still fail, thus I'm wondering
about something more appropriate.

The previous behaviour of ntlm_auth was this:

a) libsoup asks ntlm_auth for the initial challenge
b) - ntlm_auth knows credentials, then it returns it
   - ntlm_auth doesn't know credentials, then it returns PW
c) libsoup uses its own initial challenge when PW is returned,
   otherwise the one from the ntlm_auth

The new behaviour is:
a) libsoup asks ntlm_auth for the initial challenge
b) ntlm_auth returns initial challenge
c) libsoup sends the initial challenge to the server
d) server returns some response
e) libsoup passed the response to the ntlm_auth
f) - ntlm_auth returns a new response, if credentials are known
   - ntlm_auth returns PW, when credentials are unknown
g) libsoup restarts the NTLM authentication with its own initial
   challenge when PW is returned (that's the place where was the bug
   in libsoup, because it gave up instead), or uses the new response
   from the ntlm_auth

I would prefer the libsoup not to restart the NTLM authentication from
the beginning, because it means like 4 handshakes with the server and 2
of then unauthorized responses, thus if the server has some policy
about incorrect login requests, then it could be eventually reached
quickly for the IP. Thus I'm wondering whether the ntlm_auth can
continue with a user-provided password (after the PW response), but as
I do not know the "communication protocol" with the ntlm_auth binary,
neither I want to pass the password in a clear form on the command
line, then I'm looking for some documentation about this. The man page
of the ntlm_auth wasn't much useful in this regard (otherwise it is
useful, with the arguments description and so on, only the
"communication protocol" description is not there).

I admit that I'm a total newbie with the ntlm_auth, thus feel free to
correct me if I speak nonsense.

	Thanks and bye,
	Milan

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1327072

More information about the samba-technical mailing list