[Samba] Using ntlm_auth to get NTLMv2 Session support from an application

pisymbol . pisymbol at gmail.com
Sat Apr 22 21:45:46 UTC 2017

On Sat, Apr 22, 2017 at 4:49 PM, Andrew Bartlett <abartlet at samba.org> wrote:

> On Sat, 2017-04-22 at 13:41 -0400, pisymbol . wrote:
> >
> > > Your task is fairly easy as the resulting HTTP session won't be
> > > encrypted, just authenticated with NTLMSSP, so you don't need to
> > > involve Samba long-term, or get out encryption keys.
> >
> > Right, but clarification Andrew: What do you mean the resultant
> > session won't be NTLMSSP encrypted? I thought that was the whole
> > point of NTLMv2 session security.
> Indeed, but the use on HTTP is dodgy, similar to SMBv1 without signing
> - the session is set up, but cleartext and not even authenticated (eg
> crypto checksum) after that.  Another good example is LDAP, which
> allowed (until we turned it off by default in Samba) LDAP binds without
> the subsequent encryption.
> Sadly HTTP has no 'subsequent encryption' option that I'm aware of.
I would assume once the socket has been setup the davfs commands would go
over the NTLMv2 encrypted session? Did I miss something here?


More information about the samba mailing list