hi all,
I am running a squid cache using ntml_auth samba util.
It works great when the users have joined the domain, since then ie sends DOMAIN\Username NTML information.
But it fails when there is a road warrior, which has not joined the domain, but has created a username an password which is identical to a domain user. This way for instance the windows smb system lets them in without having to join the domain.
I wanted to install a hook for changing the DOMAIN on certain conditions, but after reading through some NTML specs, I found out that DOMAINUSER field is encrypted with the password key and that I would have to dig in really deep in the ntlmssp to do the changes, which is somehow not what I want.
So my question:
could the ntlmssp authentication in samba could use the security authority of the domain supplied by the client. so for instance, if the client sends in MYCOMPUTER\User, could the windbind subsystem be configured to contact the local security authority of that user instead of contacting the DOMAIN controller?
Perhaps someone could give me a rough overview of the authentication process used by ntmlssp. ( which modules are called when; ntml_auth calles libsmb, ... ) ntml_auth servers as a ntlm server proxy right? (doing manage_squid_ntmlssp_request)
So when the client sends in its requests it does the server part, but where in ntlmsssp.c does it communicate with the domain controller or securty authority to testify the password is correct?
And a thrid question: Would it be easier using kerberos here? If the client is a road warrior but has established a kerberos tgt with the server, could that be reused with the squid cache (granted I would have to create a squid server service key, but that should be no problem)
Perhaps someone has some experience with that?
thanks -- Jakob
-- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
