Re: [Samba] automatically authenticate domain logged-on users in apache with AD/NTDOM?
On Sat, 2004-10-23 at 06:47, [EMAIL PROTECTED] wrote: What I want is to skip the login prompt and instead authenticate using a NTLM/Kerberos ticket... Yes. What is happening between the web server the web client? Is the protocol open or reverse engineered? Can this authentication be done using apache @ unix (perhaps by apache interacting with samba somehow)? On the server side - yes, even current versions of SASL support NTLM. Hmm, but there's no mod_sasl around, so I don't see how that will help? No, you don't use SASL for apache, but you might for Cyrus, etc... Squid has it's own NTLM support, several mechanism exist for doing NTLM or GSSAPI via apache. http://modntlm.sourceforge.net/ Unfortunately mod_ntlm has problems, and the NTLMSSP it implements is quite basic. As such, I've brought mod_ntlm_winbindd up to scratch (which now uses Samba's ntlm_auth, like Squid does): http://dp.samba.org/ftp/unpacked/lorikeet/trunk/mod_ntlm_winbind/ That is for Apache 1.3, and someday I'll get some time to write an apache2 version. Such a task would start with http://source.grep.no/ but if you look at mod_ntlm_winbind, you can see that a lot of stuff can be cleaned out. Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Authentication Developer, Samba Teamhttp://samba.org Student Network Administrator, Hawker College [EMAIL PROTECTED] signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] automatically authenticate domain logged-on users in apache with AD/NTDOM?
On Sat, 2004-10-23 at 05:03, John H Terpstra wrote: On Friday 22 October 2004 10:49, Palle Girgensohn wrote: Hi! I don't use MS products at all, so I have very little knowledge with them, but I believe Microsoft has as protocol where Internet Explorer can automatically authenticate against an IIS server, and given that the server and client are on the same NT domain, and the client user is logged in to that domain, the user is automatically logged in without the need to give away the password one more time to the webserver. Squid + ntlm-auth can handle the SPNEGO protocol. Sorry, Squid only handles NTLMSSP. SPNEGO is not defined for HTTP proxies, but it's guessed that Microsoft will eventually implement it, and I hope to get Mozilla/Squid there first (it would dramatically decrease the authentication load on a proxy). If you want this from Apache you should check out www.vintela.com. For NTLMSSP, which is all you need in the intranet, then my preference is mod_ntlm_winbind: http://download.samba.org/ftp/unpacked/lorikeet/trunk/mod_ntlm_winbind/ I have SPNEGO support there too, and by hook or by crook, we will have a Samba helper to support this shortly (I have some work commitments that require it). This may be by means of Samba4 or work on the more cludgy Samba3 SPNEGO helper (both are exposed via ntlm_auth). Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Authentication Developer, Samba Teamhttp://samba.org Student Network Administrator, Hawker College [EMAIL PROTECTED] signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] automatically authenticate domain logged-on users in apache with AD/NTDOM?
I don't use MS products at all, so I have very little knowledge with them, but I believe Microsoft has as protocol where Internet Explorer can automatically authenticate against an IIS server, and given that the server and client are on the same NT domain, and the client user is logged in to that domain, the user is automatically logged in without the need to give away the password one more time to the webserver. You're talking about NTLM. What is happening between the web server the web client? Is the protocol open or reverse engineered? Can this authentication be done using apache @ unix (perhaps by apache interacting with samba somehow)? On the server side - yes, even current versions of SASL support NTLM. Any ideas or links to more info about this would be much appreciated. On the UNIX/LINUX client side I think your stuck; nothing I've found supports it. If you in an AD domain or Kerberos environment you can probably do the same thing with GSSAPI. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] automatically authenticate domain logged-on users in apache with AD/NTDOM?
On Friday 22 October 2004 10:49, Palle Girgensohn wrote: Hi! I don't use MS products at all, so I have very little knowledge with them, but I believe Microsoft has as protocol where Internet Explorer can automatically authenticate against an IIS server, and given that the server and client are on the same NT domain, and the client user is logged in to that domain, the user is automatically logged in without the need to give away the password one more time to the webserver. Squid + ntlm-auth can handle the SPNEGO protocol. If you want this from Apache you should check out www.vintela.com. -- John T. What is happening between the web server the web client? Is the protocol open or reverse engineered? Can this authentication be done using apache @ unix (perhaps by apache interacting with samba somehow)? Any ideas or links to more info about this would be much appreciated. Thanks! /Palle -- John H Terpstra Samba-Team Member Phone: +1 (650) 580-8668 Author: The Official Samba-3 HOWTO Reference Guide, ISBN: 0131453556 Samba-3 by Example, ISBN: 0131472216 Hardening Linux, ISBN: 0072254971 OpenLDAP by Example, ISBN: 0131488732 Other books in production. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] automatically authenticate domain logged-on users in apache with AD/NTDOM?
Hi! --On fredag 22 oktober 2004 14.21 -0400 Adam Tauno Williams [EMAIL PROTECTED] wrote: I don't use MS products at all, so I have very little knowledge with them, but I believe Microsoft has as protocol where Internet Explorer can automatically authenticate against an IIS server, and given that the server and client are on the same NT domain, and the client user is logged in to that domain, the user is automatically logged in without the need to give away the password one more time to the webserver. You're talking about NTLM. I've done some more reading, and yes, I think that's what I'm talking about. :) MS calls it Integrated Windows authentication. See http://www.microsoft.com/resources/documentation/IIS/6/all/techref/en-us/iisRG_SEC_12.mspx What I want is to skip the login prompt and instead authenticate using a NTLM/Kerberos ticket... What is happening between the web server the web client? Is the protocol open or reverse engineered? Can this authentication be done using apache @ unix (perhaps by apache interacting with samba somehow)? On the server side - yes, even current versions of SASL support NTLM. Hmm, but there's no mod_sasl around, so I don't see how that will help? Any ideas or links to more info about this would be much appreciated. On the UNIX/LINUX client side I think your stuck; nothing I've found supports it. If you in an AD domain or Kerberos environment you can probably do the same thing with GSSAPI. This time I'm really not interested in unix client, only unix as server, so this is OK, although someone here wrote about Mozillla handling at least Kerberos... Thanks for your input! Palle -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] automatically authenticate domain logged-on users in apache with AD/NTDOM?
What I want is to skip the login prompt and instead authenticate using a NTLM/Kerberos ticket... Yes. What is happening between the web server the web client? Is the protocol open or reverse engineered? Can this authentication be done using apache @ unix (perhaps by apache interacting with samba somehow)? On the server side - yes, even current versions of SASL support NTLM. Hmm, but there's no mod_sasl around, so I don't see how that will help? No, you don't use SASL for apache, but you might for Cyrus, etc... Squid has it's own NTLM support, several mechanism exist for doing NTLM or GSSAPI via apache. http://modntlm.sourceforge.net/ http://modauthkerb.sourceforge.net/configure.html Any ideas or links to more info about this would be much appreciated. On the UNIX/LINUX client side I think your stuck; nothing I've found supports it. If you in an AD domain or Kerberos environment you can probably do the same thing with GSSAPI. This time I'm really not interested in unix client, only unix as server, so this is OK, although someone here wrote about Mozillla handling at least Kerberos... http://meta.cesnet.cz/cms/opencms/en/docs/software/devel/negotiate.html -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] automatically authenticate domain logged-on users in apache with AD/NTDOM?
Thanks a lot for these links! Best regards, Palle --On fredag 22 oktober 2004 16.47 -0400 [EMAIL PROTECTED] wrote: What I want is to skip the login prompt and instead authenticate using a NTLM/Kerberos ticket... Yes. What is happening between the web server the web client? Is the protocol open or reverse engineered? Can this authentication be done using apache @ unix (perhaps by apache interacting with samba somehow)? On the server side - yes, even current versions of SASL support NTLM. Hmm, but there's no mod_sasl around, so I don't see how that will help? No, you don't use SASL for apache, but you might for Cyrus, etc... Squid has it's own NTLM support, several mechanism exist for doing NTLM or GSSAPI via apache. http://modntlm.sourceforge.net/ http://modauthkerb.sourceforge.net/configure.html Any ideas or links to more info about this would be much appreciated. On the UNIX/LINUX client side I think your stuck; nothing I've found supports it. If you in an AD domain or Kerberos environment you can probably do the same thing with GSSAPI. This time I'm really not interested in unix client, only unix as server, so this is OK, although someone here wrote about Mozillla handling at least Kerberos... http://meta.cesnet.cz/cms/opencms/en/docs/software/devel/negotiate.html -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
