> On Sunday 24 February 2002 01:58, Robert Collins wrote:
>
> > We like confusion. Actually, I'm confused here. Line 287 of
> > NTLMSSP/auth_ntlm.c is decoded = base64_decode(buf + 3); Where do
> > you see uudecode calls?
>
> In the other two helpers (fakeauth and no_auth).
>
> I am writing another simple helper doing NTLM locally using smbpasswd
> files. Thus I felt the fakeauth helper was a better startingpoint..
Heh, I am writing something along those lines myself.
Be careful in that that helper must be suid root, since the smbpasswd file
must be closely guarded.
> > > b) Why isn't the negotiate packet sent to the helper? Doesn't the
> > > DC need the users domain name to generate a correct challenge in
> > > case of trust relations or multi-domain configurations?
> >
> > No. The authenticating workstation uses the secure channel to pass
> > the triple (challenge,result,user) to a domain controller of it's
> > domain, which then passes the same to the correct domain if the
> > user is not in it's domain.
>
> So you are saying that a member server in a NT network can ask to
> verify (challenge,NT-response,user,domain) with their own choice of
> challenge because the DC knows the station by it's account?
Yes. That is what the winbindd helper does.
> Makes me wonder why there is a negotiate packet in the first place
> however. It must have some function or else they would not put it
> there, would they?. But it does explain the need of all those
> computer and trust accounts and makes some sense from an
> architectural point of view.
The negotiate packet _does_ say something, there's the "flags" bitfield
which defines several parameters to be used in the following phases
(i.e. "I understand Unicode")
> Do you know where can I find more info about this secure channel
> authentication method? I have another related project where I need to
> implement MSCHAPv2 to NT domains, and I strongly suspect MS RAS
> servers is utilising functions in this secure channel to perform
> MSCHAPv2. MSCHAPv2 (and MS-CHAP) uses MD4(NT#) as authentication key.
Your best path is probably talking to the members of the samba team.
They've been very helpful.
-- /kinkieReceived on Mon Feb 25 2002 - 01:54:37 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:14:48 MST