NTLMSSP authentication added to FreeDCE (requires Samba TNG, uses winbindd)
Luke Kenneth Casson Leighton
lkcl at lkcl.net
Fri Jan 21 05:51:21 CST 2005
i _would_ announce this on the samba mailing lists but the samba team
have placed some rather fascist censorship in place, and consider any
posting that i make to any samba.org addresses to be "net abuse".
i've just modified winbindd (written in 2000 by tim and
andrew) to be able to use it to do NTLM "challenge response"
i also wrote a small library, containing two functions, which could be
used by absolutely any project: they take a user+pass+domain, or a
the functions don't care where your PDC is: it could be on the
local machine, under which circumstances the back-end (winbindd)
will adjust accordingly and save you some network traffic.
both functions return a "blob" which is a NET_USER_INFO_3
structure, which contains valuable information - in particular,
it contains the session key, but also it contains the equivalent
of uid+gid+secondary groups: namely, the primary user rid,
primary group rid, and secondary group SIDs etc. that the user
[for the benefit of the wine people: this information is
essential for doing things like "ImpersonateNamedPipeClient" and
"RpcImpersonateClient" in Wine / ReactOS, if the authentication
being performed is to have any "meaning", as it's what gets passed
to SeAccessCheck(). you can always of course return stub data
and you can always have an implementation of SeAccessCheck return
samba tng cvs can be obtained via www.samba-tng.org/cvs.html and
freedce cvs from http://sf.net/projects/freedce.
you can test the new interface by compiling and running
bin/winbindauthtest - you must have a user of "test" with a
password of "test".
i may have one more thing to do - add "NamedPipe" security
context "inheritance" to the client-side libraries in FreeDCE,
but to be honest i don't think it's all that essential /
there going to be a whopping big demand for it.
More information about the wine-devel