[Samba] Using ntlm_auth with a non-Squid application

Gaetano Giunta giunta.gaetano at gmail.com
Tue May 31 14:38:14 UTC 2016


my goal is to write an authentication module for the Symfony php framework, which would provide SSO capabilities to browsers that are logged in an MS AD domain
and support the NTLMv2 protocol. Ideally this module would run on linux servers, and be portable, i.e. require as few non-php tools and network/firewall
settings as possible (that's why I eschewed the existing Apache modules which do Kerberos)

So far I have working code which can generate, send, receive and decode the NTLMv2 messages. The only catch is that I cannot easily verify the autentication
messages sent by the browser in response to the challenge messages that my app has sent, as the app does not have access to the user database, which is only
stored in the AD. The app can access the AD via secure LDAP, but that does not seem to help with the NTLM hashes (the app never stores user passwords locally).

I thought that the ntlm_auth tool for Samba might be used in this scenario, as it seems to have been developed to do exactly the same for Squid.

I played around with it a little bit, but so fare have not managed to get it working, hence my questions to the list:

1. would you recommend just abandoning this path and favour other auth protocols/tools, because of known blockers (apart from ntlm not being considered very
secure any more) ?

2. can the ntlm_auth command verify the authentication for a given user if my app provides to it the username, challenge, and browser response to that
challenge? Or is it mandatory to let ntlm_auth generate the challenge by itself?

3. if the answer to 2) is yes, what are the command line parameters needed for such an interaction?

4. if the answer to 2) is no, is the best way to integrate it to use the "squid-2.5-ntlmssp" protocol?

What I have working so far:

- samba 4.2.10 (from Debian jessie package) joined to a MS AD domain (windows server 2012)

- /ntlm_auth --username=ggiunta/ (and password given when asked) => ok

- /ntlm_auth --helper-protocol=ntlmssp-client-1/ => ok

- /ntlm_auth --helper-protocol=squid-2.5-basic/ => _ko_

- /ntlm_auth --username=ggiunta --challenge=68656c6c6f313233 --nt-response=.../ => _ko_

Any help is appreciated_


More information about the samba mailing list