On Fri, 12 Jul 2002, Johann Hanne wrote: > > Hi folks, > > Short version: > -------------- > Can anybody tell me if there are hooks in Samba that make it possible > to use it in conjunction with an apache module for HTTP-based > NTLM-authentication? > > Long version: > ------------- > Internet Explorer can authenticate against a Web-Server using the > so-called NTLM-authentication (see > http://www.innovation.ch/java/ntlm.html). Despite the fact that the method > is braindead, it is extremely useful for Intranets and seems to be > reliable. > > The whole thing is based on the authentication used by any SMB client that > connects to a SMB server: > - The client connects to the server > - The server generates and sends some random bytes (challenge) > - The client sends a hash generated from password and challenge
Do you have a trace of what the client actually sends. There has been much discussion about this on this list and on #samba-technical and it may already be possible or close to possible using samba-head based code. It sounds like the client is doing a Windows LOGON using the previously computed NT HASH generated when the user logged onto the client. > What I need are hooks to: > - Connect to the SMB-Server > - Intercept the random bytes > - Send the hash > > The point is that a function that just checks a combination of > username+cleartext-password is not enough, as I don't have a > cleartext-password. > > A thing that would be even more interesting is if there is a way to do the > authentication as a domain member, i.e. not by doing > try-and-error-connects but by using the appropriate protocol. > > I know there is already an apache module called "mod_ntlm" at sourceforge > (and some extended versions). However, it is very unstable (apache > processes segfault quite often) and it uses SMB code "Copyright (C) > Richard Sharpe 1996". I'd really love to use some current code for it! Sigh, yes, that code got away :-( > I've already found the function domain_client_validate() in > domain_client_validate.c. However, this file seems to unused currently as > it isn't compiled by the makefile and i wasn't able to compile it manually > due to undefined symbols and conflicts with another function with the same > name. > This one is defined in smbd/password.c and is probably used in smbd. Is it > possible to use the function without the smbd environment? > > Any comments? > > Cheers, Jonny <[EMAIL PROTECTED]> > > -- Regards ----- Richard Sharpe, [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED]