[Samba] Using ntlm_auth with a non-Squid application
Jonathan Hunter
jmhunter1 at gmail.com
Tue May 31 20:36:06 UTC 2016
Hi Gaetano,
Good plan, I'd be very interested in your work as I am starting to look at
symfony here, also!
I do have ntlm_auth working perfectly using Samba 4 (and with badlock
patches). I use it with freeradius, not squid. An extract from my
/etc/raddb/modules/mschap, if it helps:
ntlm_auth = "/usr/local/samba/bin/ntlm_auth --request-nt-key
--username=%{%{mschap:User-Name}:-%{%{User-Name}:-None}}
--domain=%{%{mschap:NT-Domain}:-MYDOMAIN}
--challenge=%{%{mschap:Challenge}:-00}
--nt-response=%{%{mschap:NT-Response}:-00}"
You might get some inspiration from the freeradius ntlm_auth guides; or I'm
happy to share other parts of my config if that helps, too.
Cheers,
Jonathan
On 31 May 2016 at 15:38, Gaetano Giunta <giunta.gaetano at gmail.com> wrote:
> Hello
>
> my goal is to write an authentication module for the Symfony php
> framework, which would provide SSO capabilities to browsers that are logged
> in an MS AD domain
> and support the NTLMv2 protocol. Ideally this module would run on linux
> servers, and be portable, i.e. require as few non-php tools and
> network/firewall
> settings as possible (that's why I eschewed the existing Apache modules
> which do Kerberos)
>
> So far I have working code which can generate, send, receive and decode
> the NTLMv2 messages. The only catch is that I cannot easily verify the
> autentication
> messages sent by the browser in response to the challenge messages that my
> app has sent, as the app does not have access to the user database, which
> is only
> stored in the AD. The app can access the AD via secure LDAP, but that does
> not seem to help with the NTLM hashes (the app never stores user passwords
> locally).
>
> I thought that the ntlm_auth tool for Samba might be used in this
> scenario, as it seems to have been developed to do exactly the same for
> Squid.
>
> I played around with it a little bit, but so fare have not managed to get
> it working, hence my questions to the list:
>
> 1. would you recommend just abandoning this path and favour other auth
> protocols/tools, because of known blockers (apart from ntlm not being
> considered very
> secure any more) ?
>
> 2. can the ntlm_auth command verify the authentication for a given user if
> my app provides to it the username, challenge, and browser response to that
> challenge? Or is it mandatory to let ntlm_auth generate the challenge by
> itself?
>
> 3. if the answer to 2) is yes, what are the command line parameters needed
> for such an interaction?
>
> 4. if the answer to 2) is no, is the best way to integrate it to use the
> "squid-2.5-ntlmssp" protocol?
>
>
> What I have working so far:
>
> - samba 4.2.10 (from Debian jessie package) joined to a MS AD domain
> (windows server 2012)
>
> - /ntlm_auth --username=ggiunta/ (and password given when asked) => ok
>
> - /ntlm_auth --helper-protocol=ntlmssp-client-1/ => ok
>
> - /ntlm_auth --helper-protocol=squid-2.5-basic/ => _ko_
>
> - /ntlm_auth --username=ggiunta --challenge=68656c6c6f313233
> --nt-response=.../ => _ko_
>
>
> Any help is appreciated_
> _
>
> Gaetano_
> _
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
--
"If we knew what it was we were doing, it would not be called research,
would it?"
- Albert Einstein
More information about the samba
mailing list