Using ntlm_auth to get NTLMv2 Session support from an application

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

Using ntlm_auth to get NTLMv2 Session support from an application

Samba - General mailing list
Hello:

As many of you already probably know, the neon library is the workhorse for
davfs support.

However, right now, the current version of libneon has very limited support
for NTLM, particularly NTLMv2, both on the challenge/authentication side as
well as handling NTLMv2 Session Security.

There is a patch somewhere to add NTLMv2 authentication support natively
but there is zero support for NTLMv2 session security. What this means is
that if you try to mount a share using davfs and the server in question
requires 128-bit session security, libneon fails to negotiate and the mount
fails. I have at least one enterprise customer who relies on NTLMv2
exclusively (despite the fact the world has moved on to HTTPS).

Is there a way to hook up the "ntlm_auth" utility to do the heavy lifting
of authenticating/creating NTLMv2 sessions in order to mount using davfs?

I realize I maybe barking up the wrong tree, but I am trying to come up
with a way to leverage Samba's already robust support for Windows
authentication without having to duplicate the effort within libneon and
friends (I am not the maintainer but I do have an urgent desire to mount
Sharepoint shares using davfs via NTLMv2 session security).

Any insight, feedback into this issue would be much appreciated.

Thanks!

-aps

PS Can anyone please explain to me why all the list mail's subjects are
always prepended with [Samba]? (I manually added it to be in vogue)
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Using ntlm_auth to get NTLMv2 Session support from an application

Samba - General mailing list
On Wed, Apr 19, 2017 at 11:03:34AM -0400, pisymbol . via samba wrote:

> Hello:
>
> As many of you already probably know, the neon library is the workhorse for
> davfs support.
>
> However, right now, the current version of libneon has very limited support
> for NTLM, particularly NTLMv2, both on the challenge/authentication side as
> well as handling NTLMv2 Session Security.
>
> There is a patch somewhere to add NTLMv2 authentication support natively
> but there is zero support for NTLMv2 session security. What this means is
> that if you try to mount a share using davfs and the server in question
> requires 128-bit session security, libneon fails to negotiate and the mount
> fails. I have at least one enterprise customer who relies on NTLMv2
> exclusively (despite the fact the world has moved on to HTTPS).
>
> Is there a way to hook up the "ntlm_auth" utility to do the heavy lifting
> of authenticating/creating NTLMv2 sessions in order to mount using davfs?
>
> I realize I maybe barking up the wrong tree, but I am trying to come up
> with a way to leverage Samba's already robust support for Windows
> authentication without having to duplicate the effort within libneon and
> friends (I am not the maintainer but I do have an urgent desire to mount
> Sharepoint shares using davfs via NTLMv2 session security).
>
> Any insight, feedback into this issue would be much appreciated.

The squid program does this. Maybe look into the code they
use for their integration ?

http://wiki.squid-cache.org/ConfigExamples/Authenticate/Ntlm

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Using ntlm_auth to get NTLMv2 Session support from an application

Samba - General mailing list
On Wed, Apr 19, 2017 at 1:08 PM, Jeremy Allison <[hidden email]> wrote:
>
> > Any insight, feedback into this issue would be much appreciated.
>
> The squid program does this. Maybe look into the code they
> use for their integration ?
>
> http://wiki.squid-cache.org/ConfigExamples/Authenticate/Ntlm


Jeremy, thanks! That's exactly what I was looking at.

So here's a better question: Can you give me a brief technical explanation
on how this exactly works with respect to establishing a session? The goal
is basically to have mount.davfs first establish an NTLMv2 session (using
128-bit encryption) and then be able to access files through it using
standard filesystem calls.

The config example above is nice, but it doesn't really drill into how this
all works.

Btw, full NTLMv2 Session Security is supported with samba3+ right?

-aps
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Using ntlm_auth to get NTLMv2 Session support from an application

Samba - General mailing list
On Wed, Apr 19, 2017 at 03:47:05PM -0400, pisymbol . wrote:

> On Wed, Apr 19, 2017 at 1:08 PM, Jeremy Allison <[hidden email]> wrote:
> >
> > > Any insight, feedback into this issue would be much appreciated.
> >
> > The squid program does this. Maybe look into the code they
> > use for their integration ?
> >
> > http://wiki.squid-cache.org/ConfigExamples/Authenticate/Ntlm
>
>
> Jeremy, thanks! That's exactly what I was looking at.
>
> So here's a better question: Can you give me a brief technical explanation
> on how this exactly works with respect to establishing a session? The goal
> is basically to have mount.davfs first establish an NTLMv2 session (using
> 128-bit encryption) and then be able to access files through it using
> standard filesystem calls.

Not quickly. Probably best to look into the squid code itself
and see how they drive it.

> Btw, full NTLMv2 Session Security is supported with samba3+ right?

Yes.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Using ntlm_auth to get NTLMv2 Session support from an application

Samba - General mailing list
On Fri, 2017-04-21 at 14:12 -0700, Jeremy Allison via samba wrote:

> On Wed, Apr 19, 2017 at 03:47:05PM -0400, pisymbol . wrote:
> > On Wed, Apr 19, 2017 at 1:08 PM, Jeremy Allison <[hidden email]>
> > wrote:
> > >
> > > > Any insight, feedback into this issue would be much
> > > > appreciated.
> > >
> > > The squid program does this. Maybe look into the code they
> > > use for their integration ?
> > >
> > > http://wiki.squid-cache.org/ConfigExamples/Authenticate/Ntlm
> >
> >
> > Jeremy, thanks! That's exactly what I was looking at.
> >
> > So here's a better question: Can you give me a brief technical
> > explanation
> > on how this exactly works with respect to establishing a session?
> > The goal
> > is basically to have mount.davfs first establish an NTLMv2 session
> > (using
> > 128-bit encryption) and then be able to access files through it
> > using
> > standard filesystem calls.
>
> Not quickly. Probably best to look into the squid code itself
> and see how they drive it.

Also look into Wine.  Kai did something very similar there a long time
ago.

Your task is fairly easy as the resulting HTTP session won't be NTLMSSP
encrypted, just authenticated with NTLMSSP, so you don't need to
involve Samba long-term, or get out encryption keys.

See the 'squid' helper modes, there is ntlmssp-client-1 that you should
use.

You can also play with NTLMSSP over mouse-buffer between that and the
squid-2.5-ntlmssp server mode.  Set --password on the server and it
becomes standalone binary that does not need Samba running.

I hope this helps,

Andrew Bartlett

--
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Using ntlm_auth to get NTLMv2 Session support from an application

Samba - General mailing list
On Fri, Apr 21, 2017 at 5:28 PM, Andrew Bartlett <[hidden email]> wrote:

> On Fri, 2017-04-21 at 14:12 -0700, Jeremy Allison via samba wrote:
> > Not quickly. Probably best to look into the squid code itself
> > and see how they drive it.
>
> Also look into Wine.  Kai did something very similar there a long time
> ago.
>

I like red! Not so much white.

Your task is fairly easy as the resulting HTTP session won't be NTLMSSP
> encrypted, just authenticated with NTLMSSP, so you don't need to
> involve Samba long-term, or get out encryption keys.
>

Right, but clarification Andrew: What do you mean the resultant session
won't be NTLMSSP encrypted? I thought that was the whole point of NTLMv2
session security.


>
> See the 'squid' helper modes, there is ntlmssp-client-1 that you should
> use.
>
>
That's what I figured.


> You can also play with NTLMSSP over mouse-buffer between that and the
> squid-2.5-ntlmssp server mode.  Set --password on the server and it
> becomes standalone binary that does not need Samba running.


It does, but I need to understand the flow better on how I can funnel mount
davfs traffic through it (I thought originally this could be done using
upcall but that doesn't make sense - I think).

I do appreciate the feedback gentlemen.

-aps
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Using ntlm_auth to get NTLMv2 Session support from an application

Samba - General mailing list
On Sat, 2017-04-22 at 13:41 -0400, pisymbol . wrote:

>
>
> On Fri, Apr 21, 2017 at 5:28 PM, Andrew Bartlett <[hidden email]>
> wrote:
> > On Fri, 2017-04-21 at 14:12 -0700, Jeremy Allison via samba wrote:
> > > Not quickly. Probably best to look into the squid code itself
> > > and see how they drive it.
> >
> > Also look into Wine.  Kai did something very similar there a long
> > time
> > ago.
>
> I like red! Not so much white.

;-)

> > Your task is fairly easy as the resulting HTTP session won't be
> > NTLMSSP
> > encrypted, just authenticated with NTLMSSP, so you don't need to
> > involve Samba long-term, or get out encryption keys.
>
> Right, but clarification Andrew: What do you mean the resultant
> session won't be NTLMSSP encrypted? I thought that was the whole
> point of NTLMv2 session security.

Indeed, but the use on HTTP is dodgy, similar to SMBv1 without signing
- the session is set up, but cleartext and not even authenticated (eg
crypto checksum) after that.  Another good example is LDAP, which
allowed (until we turned it off by default in Samba) LDAP binds without
the subsequent encryption.  

Sadly HTTP has no 'subsequent encryption' option that I'm aware of.
 

> > See the 'squid' helper modes, there is ntlmssp-client-1 that you
> > should
> > use.
> >
>
> That's what I figured.
>  
> > You can also play with NTLMSSP over mouse-buffer between that and
> > the
> > squid-2.5-ntlmssp server mode.  Set --password on the server and it
> > becomes standalone binary that does not need Samba running.
>
> It does, but I need to understand the flow better on how I can funnel
> mount davfs traffic through it (I thought originally this could be
> done using upcall but that doesn't make sense - I think).

You pass only the NTLM headers via ntlm_auth, the rest you keep in the
binary that makes the actual socket connection.

> I do appreciate the feedback gentlemen.

Thanks!

Andrew Bartlett

--
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Using ntlm_auth to get NTLMv2 Session support from an application

Samba - General mailing list
On Sat, Apr 22, 2017 at 4:49 PM, Andrew Bartlett <[hidden email]> wrote:

> On Sat, 2017-04-22 at 13:41 -0400, pisymbol . wrote:
> >
>
> > > Your task is fairly easy as the resulting HTTP session won't be
> > > NTLMSSP
> > > encrypted, just authenticated with NTLMSSP, so you don't need to
> > > involve Samba long-term, or get out encryption keys.
> >
> > Right, but clarification Andrew: What do you mean the resultant
> > session won't be NTLMSSP encrypted? I thought that was the whole
> > point of NTLMv2 session security.
>
> Indeed, but the use on HTTP is dodgy, similar to SMBv1 without signing
> - the session is set up, but cleartext and not even authenticated (eg
> crypto checksum) after that.  Another good example is LDAP, which
> allowed (until we turned it off by default in Samba) LDAP binds without
> the subsequent encryption.
>
> Sadly HTTP has no 'subsequent encryption' option that I'm aware of.
>
>
I would assume once the socket has been setup the davfs commands would go
over the NTLMv2 encrypted session? Did I miss something here?

-aps
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Using ntlm_auth to get NTLMv2 Session support from an application

Samba - General mailing list
On Sat, 2017-04-22 at 17:45 -0400, pisymbol . wrote:

>
>
> On Sat, Apr 22, 2017 at 4:49 PM, Andrew Bartlett <[hidden email]>
> wrote:
> > On Sat, 2017-04-22 at 13:41 -0400, pisymbol . wrote:
> > >
> >
> > > > Your task is fairly easy as the resulting HTTP session won't be
> > > > NTLMSSP
> > > > encrypted, just authenticated with NTLMSSP, so you don't need
> > to
> > > > involve Samba long-term, or get out encryption keys.
> > >
> > > Right, but clarification Andrew: What do you mean the resultant
> > > session won't be NTLMSSP encrypted? I thought that was the whole
> > > point of NTLMv2 session security.
> >
> > Indeed, but the use on HTTP is dodgy, similar to SMBv1 without
> > signing
> > - the session is set up, but cleartext and not even authenticated
> > (eg
> > crypto checksum) after that.  Another good example is LDAP, which
> > allowed (until we turned it off by default in Samba) LDAP binds
> > without
> > the subsequent encryption.  
> >
> > Sadly HTTP has no 'subsequent encryption' option that I'm aware of.
> >
>
> I would assume once the socket has been setup the davfs commands
> would go over the NTLMv2 encrypted session? Did I miss something
> here?

Yes, you missed that as DAV is essentially HTTP, there is no encrypted
session, except for possibly an SSL wrapper.

I suggest spending some 'quality time' with wireshark and see what you
are trying to imitate, perhaps I'm all out of date, but this is how I
understand the protocols.

I hope this helps,

Andrew Bartlett
--
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba