[Samba] Using ntlm_auth with a non-Squid application

Andrew Bartlett abartlet at samba.org
Wed Jun 1 08:54:37 UTC 2016 

On Tue, 2016-05-31 at 15:38 +0100, Gaetano Giunta wrote:
> Hello
> 
> my goal is to write an authentication module for the Symfony php
> framework, which would provide SSO capabilities to browsers that are
> logged in an MS AD domain
> and support the NTLMv2 protocol. Ideally this module would run on
> linux servers, and be portable, i.e. require as few non-php tools and
> network/firewall
> settings as possible (that's why I eschewed the existing Apache
> modules which do Kerberos)

I would strongly suggest you re-visit that assumption.  You should
either use mod_auth_krb, or mod_auth_ntlm_winbindd, rather than try and
handle the headers in a PHP app. 

> So far I have working code which can generate, send, receive and
> decode the NTLMv2 messages. The only catch is that I cannot easily
> verify the autentication
> messages sent by the browser in response to the challenge messages
> that my app has sent, as the app does not have access to the user
> database, which is only
> stored in the AD. The app can access the AD via secure LDAP, but that
> does not seem to help with the NTLM hashes (the app never stores user
> passwords locally).

As you have probably figured out, you need to use the secure netlogon
protocol to verify NTLM authentication.

> I thought that the ntlm_auth tool for Samba might be used in this
> scenario, as it seems to have been developed to do exactly the same
> for Squid.
> 
> I played around with it a little bit, but so fare have not managed to
> get it working, hence my questions to the list:
> 
> 1. would you recommend just abandoning this path and favour other
> auth protocols/tools, because of known blockers (apart from ntlm not
> being considered very
> secure any more) ?

Yes.

> 2. can the ntlm_auth command verify the authentication for a given
> user if my app provides to it the username, challenge, and browser
> response to that
> challenge? Or is it mandatory to let ntlm_auth generate the challenge
> by itself?

You should not decode the NTLM response, just use the squid-2.5-ntlmssp
helper mode and feed it the whole NTLMSSP blob.  But don't do it in
PHP, let mod_auth_ntlm_winbind do it for you, as it can hold the TCP
socket open properly.

> 3. if the answer to 2) is yes, what are the command line parameters
> needed for such an interaction?
> 
> 4. if the answer to 2) is no, is the best way to integrate it to use
> the "squid-2.5-ntlmssp" protocol?
> 
> 
> What I have working so far:
> 
> - samba 4.2.10 (from Debian jessie package) joined to a MS AD domain
> (windows server 2012)
> 
> - /ntlm_auth --username=ggiunta/ (and password given when asked) =>
> ok
> 
> - /ntlm_auth --helper-protocol=ntlmssp-client-1/ => ok
> 
> - /ntlm_auth --helper-protocol=squid-2.5-basic/ => _ko_
> 
> - /ntlm_auth --username=ggiunta --challenge=68656c6c6f313233 --nt
> -response=.../ => _ko_

Don't use this mode for what you are doing.

Andrew Bartlett
-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba mailing list