[Samba] ntml_auth and local security authority
Jakob Praher
jpraher at yahoo.de
Thu Jul 29 08:57:43 GMT 2004
hi all,
I am running a squid cache using ntml_auth samba util.
It works great when the users have joined the domain, since then ie
sends DOMAIN\Username NTML information.
But it fails when there is a road warrior, which has not joined the
domain, but has created a username an password which is identical to a
domain user. This way for instance the windows smb system lets them in
without having to join the domain.
I wanted to install a hook for changing the DOMAIN on certain
conditions, but after reading through some NTML specs, I found out that
DOMAINUSER field is encrypted with the password key and that I would
have to dig in really deep in the ntlmssp to do the changes, which is
somehow not what I want.
So my question:
could the ntlmssp authentication in samba could use the security
authority of the domain supplied by the client. so for instance, if the
client sends in MYCOMPUTER\User, could the windbind subsystem be
configured to contact the local security authority of that user instead
of contacting the DOMAIN controller?
Perhaps someone could give me a rough overview of the authentication
process used by ntmlssp. ( which modules are called when; ntml_auth
calles libsmb, ... ) ntml_auth servers as a ntlm server proxy right?
(doing manage_squid_ntmlssp_request)
So when the client sends in its requests it does the server part, but
where in ntlmsssp.c does it communicate with the domain controller or
securty authority to testify the password is correct?
And a thrid question: Would it be easier using kerberos here? If the
client is a road warrior but has established a kerberos tgt with the
server, could that be reused with the squid cache (granted I would have
to create a squid server service key, but that should be no problem)
Perhaps someone has some experience with that?
thanks
-- Jakob
More information about the samba
mailing list