[Samba] Using ntlm_auth to get NTLMv2 Session support from an application
abartlet at samba.org
Sun Apr 23 04:04:05 UTC 2017
On Sat, 2017-04-22 at 17:45 -0400, pisymbol . wrote:
> On Sat, Apr 22, 2017 at 4:49 PM, Andrew Bartlett <abartlet at samba.org>
> > On Sat, 2017-04-22 at 13:41 -0400, pisymbol . wrote:
> > >
> > > > Your task is fairly easy as the resulting HTTP session won't be
> > > > NTLMSSP
> > > > encrypted, just authenticated with NTLMSSP, so you don't need
> > to
> > > > involve Samba long-term, or get out encryption keys.
> > >
> > > Right, but clarification Andrew: What do you mean the resultant
> > > session won't be NTLMSSP encrypted? I thought that was the whole
> > > point of NTLMv2 session security.
> > Indeed, but the use on HTTP is dodgy, similar to SMBv1 without
> > signing
> > - the session is set up, but cleartext and not even authenticated
> > (eg
> > crypto checksum) after that. Another good example is LDAP, which
> > allowed (until we turned it off by default in Samba) LDAP binds
> > without
> > the subsequent encryption.
> > Sadly HTTP has no 'subsequent encryption' option that I'm aware of.
> I would assume once the socket has been setup the davfs commands
> would go over the NTLMv2 encrypted session? Did I miss something
Yes, you missed that as DAV is essentially HTTP, there is no encrypted
session, except for possibly an SSL wrapper.
I suggest spending some 'quality time' with wireshark and see what you
are trying to imitate, perhaps I'm all out of date, but this is how I
understand the protocols.
I hope this helps,
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba