[Samba] ntml_auth and local security authority

[Jakob Praher]

hi all,

I am running a squid cache using ntml_auth samba util.
It works great when the users have joined the domain, since then ie 
sends DOMAIN\Username NTML information.

But it fails when there is a road warrior, which has not joined the 
domain, but has created a username an password which is identical to a 
domain user. This way for instance the windows smb system lets them in 
without having to join the domain.

I wanted to install a hook for changing the DOMAIN on certain 
conditions, but after reading through some NTML specs, I found out that 
DOMAINUSER field is encrypted with the password key and that I would 
have to dig in really deep in the ntlmssp to do the changes, which is 
somehow not what I want.

So my question:
could the ntlmssp authentication in samba could use the security 
authority of the domain supplied by the client. so for instance, if the 
client sends in MYCOMPUTER\User, could the windbind subsystem be 
configured to contact the local security authority of that user instead 
of contacting the DOMAIN controller?

Perhaps someone could give me a rough overview of the authentication 
process used by ntmlssp. ( which modules are called when; ntml_auth 
calles libsmb, ... ) ntml_auth servers as a ntlm server proxy right? 
(doing manage_squid_ntmlssp_request)
So when the client sends in its requests it does the server part, but 
where in ntlmsssp.c does it communicate with the domain controller or 
securty authority to testify the password is correct?

And a thrid question: Would it be easier using kerberos here? If the 
client is a road warrior but has established a kerberos tgt with the 
server, could that be reused with the squid cache (granted I would have 
to create a squid server service key, but that should be no problem)

Perhaps someone has some experience with that?


thanks
-- Jakob