[Samba] Using ntlm_auth with a non-Squid application
Andrew Bartlett
abartlet at samba.org
Wed Jun 1 08:56:36 UTC 2016
On Tue, 2016-05-31 at 21:36 +0100, Jonathan Hunter wrote:
> Hi Gaetano,
>
> Good plan, I'd be very interested in your work as I am starting to
> look at
> symfony here, also!
>
> I do have ntlm_auth working perfectly using Samba 4 (and with badlock
> patches). I use it with freeradius, not squid. An extract from my
> /etc/raddb/modules/mschap, if it helps:
> ntlm_auth = "/usr/local/samba/bin/ntlm_auth --request-nt-key
> --username=%{%{mschap:User-Name}:-%{%{User-Name}:-None}}
> --domain=%{%{mschap:NT-Domain}:-MYDOMAIN}
> --challenge=%{%{mschap:Challenge}:-00}
> --nt-response=%{%{mschap:NT-Response}:-00}"
>
> You might get some inspiration from the freeradius ntlm_auth guides;
> or I'm
> happy to share other parts of my config if that helps, too.
I'm glad to hear that the FreeRADIUS use of ntlm_auth continues well.
There is also a stdio based method that could be used for that, ntlm
-server-1. In any case, the difference between FreeRADIUS and a HTTP
server is that FreeRADIUS is pure NTLM (pretending to be MSCHAPv2),
while HTTP is the wrapped NTLMSSP, which it is better to let Samba
parse, for security reasons.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba
mailing list