[Samba] Using ntlm_auth with a non-Squid application

Jonathan Hunter jmhunter1 at gmail.com
Tue May 31 20:36:06 UTC 2016

Hi Gaetano,

Good plan, I'd be very interested in your work as I am starting to look at
symfony here, also!

I do have ntlm_auth working perfectly using Samba 4 (and with badlock
patches). I use it with freeradius, not squid. An extract from my
/etc/raddb/modules/mschap, if it helps:
ntlm_auth = "/usr/local/samba/bin/ntlm_auth --request-nt-key

You might get some inspiration from the freeradius ntlm_auth guides; or I'm
happy to share other parts of my config if that helps, too.



On 31 May 2016 at 15:38, Gaetano Giunta <giunta.gaetano at gmail.com> wrote:

> Hello
> my goal is to write an authentication module for the Symfony php
> framework, which would provide SSO capabilities to browsers that are logged
> in an MS AD domain
> and support the NTLMv2 protocol. Ideally this module would run on linux
> servers, and be portable, i.e. require as few non-php tools and
> network/firewall
> settings as possible (that's why I eschewed the existing Apache modules
> which do Kerberos)
> So far I have working code which can generate, send, receive and decode
> the NTLMv2 messages. The only catch is that I cannot easily verify the
> autentication
> messages sent by the browser in response to the challenge messages that my
> app has sent, as the app does not have access to the user database, which
> is only
> stored in the AD. The app can access the AD via secure LDAP, but that does
> not seem to help with the NTLM hashes (the app never stores user passwords
> locally).
> I thought that the ntlm_auth tool for Samba might be used in this
> scenario, as it seems to have been developed to do exactly the same for
> Squid.
> I played around with it a little bit, but so fare have not managed to get
> it working, hence my questions to the list:
> 1. would you recommend just abandoning this path and favour other auth
> protocols/tools, because of known blockers (apart from ntlm not being
> considered very
> secure any more) ?
> 2. can the ntlm_auth command verify the authentication for a given user if
> my app provides to it the username, challenge, and browser response to that
> challenge? Or is it mandatory to let ntlm_auth generate the challenge by
> itself?
> 3. if the answer to 2) is yes, what are the command line parameters needed
> for such an interaction?
> 4. if the answer to 2) is no, is the best way to integrate it to use the
> "squid-2.5-ntlmssp" protocol?
> What I have working so far:
> - samba 4.2.10 (from Debian jessie package) joined to a MS AD domain
> (windows server 2012)
> - /ntlm_auth --username=ggiunta/ (and password given when asked) => ok
> - /ntlm_auth --helper-protocol=ntlmssp-client-1/ => ok
> - /ntlm_auth --helper-protocol=squid-2.5-basic/ => _ko_
> - /ntlm_auth --username=ggiunta --challenge=68656c6c6f313233
> --nt-response=.../ => _ko_
> Any help is appreciated_
> _
> Gaetano_
> _
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

"If we knew what it was we were doing, it would not be called research,
would it?"
      - Albert Einstein

More information about the samba mailing list