[Samba] Using ntlm_auth to get NTLMv2 Session support from an application

pisymbol . pisymbol at gmail.com
Sat Apr 22 17:41:10 UTC 2017

On Fri, Apr 21, 2017 at 5:28 PM, Andrew Bartlett <abartlet at samba.org> wrote:

> On Fri, 2017-04-21 at 14:12 -0700, Jeremy Allison via samba wrote:
> > Not quickly. Probably best to look into the squid code itself
> > and see how they drive it.
> Also look into Wine.  Kai did something very similar there a long time
> ago.

I like red! Not so much white.

Your task is fairly easy as the resulting HTTP session won't be NTLMSSP
> encrypted, just authenticated with NTLMSSP, so you don't need to
> involve Samba long-term, or get out encryption keys.

Right, but clarification Andrew: What do you mean the resultant session
won't be NTLMSSP encrypted? I thought that was the whole point of NTLMv2
session security.

> See the 'squid' helper modes, there is ntlmssp-client-1 that you should
> use.
That's what I figured.

> You can also play with NTLMSSP over mouse-buffer between that and the
> squid-2.5-ntlmssp server mode.  Set --password on the server and it
> becomes standalone binary that does not need Samba running.

It does, but I need to understand the flow better on how I can funnel mount
davfs traffic through it (I thought originally this could be done using
upcall but that doesn't make sense - I think).

I do appreciate the feedback gentlemen.


More information about the samba mailing list