--=-sk4baSduKxJRuZZG21Ae
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

On Fri, 2004-09-10 at 10:02, Yimin Chen wrote:
> Hi Andrew,
>=20
> Thank you very much for the suggestion. I wasn't aware at all that=20
> winbind_request APIs are not for external use.
>=20
>=20
> Now Looking at the ntlm_auth tool again, I have a few more questions:
>=20
> 1) What is the option to retrieve the challenge from the server? In the=20
> NTLM authentication case, we need to pass the challenge back to client,=20
> and then retrieve the NT LM responses from client response, and pass the=20
> callenge as well as the NT LM responses to the ntlm_auth tool, right?
>=20
> I must have missed something, but can't figure out.


Are you doing NTLM or NTLMSSP? What is the target protocol? (MSCHAP?
MSCHAPv2? NTLMSSP/HTTP?)

Fundamentally, ntlm_auth operates as a privileged client in the domain,
and the challenge is either generated inside the helper, or supplied to
it, depending on mode of operation.

> 2) Is there a dynamic library API instead of binary calls of ntlm_auth=20
> that we can use to achieve the ntlm authentication? Invoking API calls=20
> could have lower overhead than binary calls.


Not at this stage - it was decided that a fork()/exec() interface
allowed for the best compatibility going forward, as well as a clear
licence boundary. There are proposals for a shared lib interface for
other winbind functions, but I don't yet see the need to extend it here.

Andrew Bartlett

--=20
Andrew Bartlett abartlet@samba.org
Authentication Developer, Samba Team http://samba.org
Student Network Administrator, Hawker College abartlet@hawkerc.net

--=-sk4baSduKxJRuZZG21Ae
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQBBQWlrw6AkmCjZ77cRAinLAKCQT/VQYGyJgqrA9rRGHc9b458ExACeJHgm
Y6ltx1UGcKefoqWaL2D5RB8=
=EzQO
-----END PGP SIGNATURE-----

--=-sk4baSduKxJRuZZG21Ae--