[prev in list] [next in list] [prev in thread] [next in thread] 

List:       samba-technical
Subject:    Re: Question on ntlm_auth tool
From:       Andrew Bartlett <abartlet () samba ! org>
Date:       2004-09-10 8:44:27
Message-ID: 1094805867.4672.1024.camel () piglett ! bartlett ! house
[Download RAW message or body]


On Fri, 2004-09-10 at 10:02, Yimin Chen wrote:
> Hi Andrew,
> 
> Thank you very much for the suggestion. I wasn't aware at all that 
> winbind_request APIs are not for external use.
> 
> 
> Now Looking at the ntlm_auth tool again, I have a few more questions:
> 
> 1) What is the option to retrieve the challenge from the server? In the 
> NTLM authentication case, we need to pass the challenge back to client, 
> and then retrieve the NT LM responses from client response, and pass the 
> callenge as well as the NT LM responses to the ntlm_auth tool, right?
> 
> I must have missed something, but can't figure out.

Are you doing NTLM or NTLMSSP?  What is the target protocol?  (MSCHAP?
MSCHAPv2?  NTLMSSP/HTTP?)

Fundamentally, ntlm_auth operates as a privileged client in the domain,
and the challenge is either generated inside the helper, or supplied to
it, depending on mode of operation.

> 2) Is there a dynamic library API instead of binary calls of ntlm_auth 
> that we can use to achieve the ntlm authentication? Invoking API calls 
> could have lower overhead than binary calls.

Not at this stage - it was decided that a fork()/exec() interface
allowed for the best compatibility going forward, as well as a clear
licence boundary.  There are proposals for a shared lib interface for
other winbind functions, but I don't yet see the need to extend it here.

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet@samba.org
Authentication Developer, Samba Team            http://samba.org
Student Network Administrator, Hawker College   abartlet@hawkerc.net

["signature.asc" (application/pgp-signature)]

[prev in list] [next in list] [prev in thread] [next in thread]