On Tue, 2006-05-23 at 15:48 -0700, Murali Bashyam wrote:
> On 5/23/06, Stefan (metze) Metzmacher <metze@xxxxxxxxx> wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> > Murali Bashyam schrieb:
> > > I am investigating the samba4.0 code to see if it can act as a
> > > authentication proxy device sitting in the middle between a CIFS client
> > and
> > > server. It performs pass-through NTLM authentication with the CIFS
> > client (
> > > i.e samba machine as a server,
> > I think we don't have pass-through auth working fully in samba4 yet.
> > > talking to the NT domain controller), and
> > > next turning around acting on behalf of that logged in user as a client
> > > towards the actual CIFS server.
> > >
> > > Is there anyway to accomplish this in the samba4.0 code base? If so, can
> > > someone point me to the relevant code?
> > you should look at ntvfs/cifs/
> > it provides a file share and proxy requests to another server.
> > but there're some issues with multiple SMB session on one SMB tree
> > connect.
> I understand the code in ntvfs/cifs from a filesystem point of view,
> i.ebeing able to do open/read/write/close CIFS operations and beyond.
> >From an
> authentication point of view, can we also proxy the negprot and session
> setups requests to another server in an async manner i.e make the samba
> machine transparent to the NTLM authentication. I didn't see this kind of
> code in that directory, but maybe i missed something there.
No, there is not any NTLM authentication hook in there yet.
> Alternatively, can we use the SAMLogon protocol (MS-RPC based) to obtain the
> NThash of the password of the logged in user, and then use that to
> participate in the NTLM challenge/response towards the actual server? We can
> assume that the machine running samba is a trusted machine in that domain
You can't obtain the NT hash with SamLogon. You can get it as a BDC
however, with SamSync. It may be useful to get the user's session key
however, as that would allow a full MITM attack, including signing.
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Student Network Administrator, Hawker College http://hawkerc.net