[Samba] Using ntlm_auth with a non-Squid application

Andrew Bartlett abartlet at samba.org
Wed Jun 1 08:56:36 UTC 2016

On Tue, 2016-05-31 at 21:36 +0100, Jonathan Hunter wrote:
> Hi Gaetano,
> Good plan, I'd be very interested in your work as I am starting to
> look at
> symfony here, also!
> I do have ntlm_auth working perfectly using Samba 4 (and with badlock
> patches). I use it with freeradius, not squid. An extract from my
> /etc/raddb/modules/mschap, if it helps:
> ntlm_auth = "/usr/local/samba/bin/ntlm_auth --request-nt-key
> --username=%{%{mschap:User-Name}:-%{%{User-Name}:-None}}
> --domain=%{%{mschap:NT-Domain}:-MYDOMAIN}
> --challenge=%{%{mschap:Challenge}:-00}
> --nt-response=%{%{mschap:NT-Response}:-00}"
> You might get some inspiration from the freeradius ntlm_auth guides;
> or I'm
> happy to share other parts of my config if that helps, too.

I'm glad to hear that the FreeRADIUS use of ntlm_auth continues well. 
 There is also a stdio based method that could be used for that, ntlm
-server-1.  In any case, the difference between FreeRADIUS and a HTTP
server is that FreeRADIUS is pure NTLM (pretending to be MSCHAPv2),
while HTTP is the wrapped NTLMSSP, which it is better to let Samba
parse, for security reasons.

Andrew Bartlett

Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba mailing list