RE: NTLM

From: Chemolli Francesco (USI) <ChemolliF@dont-contact.us>
Date: Mon, 25 Feb 2002 10:02:58 +0100

> > On Sunday 24 February 2002 01:58, Robert Collins wrote:
> >
> > > > b) Why isn't the negotiate packet sent to the helper?
> Doesn't the
> > > > DC need the users domain name to generate a correct challenge in
> > > > case of trust relations or multi-domain configurations?
> > >
> > > No. The authenticating workstation uses the secure channel to pass
> > > the triple (challenge,result,user) to a domain controller of it's
> > > domain, which then passes the same to the correct domain if the
> > > user is not in it's domain.
> >
> > I think you should even if it is not needed for the current NTLMSSP
> > or winbind helpers. If you do then one can easily write a
> > multi-domain NTLMSSP helper without the need of trust relations by
> > simply having a domain->dc translation table in the helper.
>
> Actually, I'm not sure that that will work. IIRC the domain
> present in the negotiate packaet is the _machine_ domain, not
> the workstation domain. Because the users domain is
> orthogonal to the machine domain... This is just from memory.

You're correct. Furthermore, it's only present if the client is NT/2k.

>
> > And are you absolutely sure the domain isn't used wheng
> enerating the
> > NTLMSSP challenge, for any purpose?
>

The challenge is or should be as random as possible.

> No, but we've never needed it. We started off passing it
> through, and ended up removing it when we introduced caching.
>
> As for handing the negotiate packet to the helper, we're
> actually considering giving the helper less, not more. The
> windbindd helper opens the door to allowing squid generated
> challenges, which means much more efficient processing, and
> less complex internal structures, but on the down side needs
> more smarts. So we're looking at a protocol v4 in the next
> release anyway.

Maybe. I doubt we'll be able to remove complexity though.
Because even if hopefully winbindd will be THE authentication
helper for squid-ntlm, there _will_ be some cases where it won't
be appropriate, for instance because there is no samba on
the host, or because squid is installed and operated by somebody
who has no root access, or who knows. For such occurrences the
NTLMSSP helper, as faulty as it may be, is the only available
choice. 

-- 
	/kinkie
Received on Mon Feb 25 2002 - 07:47:03 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:14:49 MST