Hi Andrew,

Thanks for your clarifications! I think I now understand it much better.

So if the ntlm_auth tool is enhanced to return the group information, would=
=20
it be just a list of SIDs or it could be the actual group names? If it will=
=20
be SIDs, do we need to query the domain controllers for the groupnames, or=
=20
Samba has other API we can use to do the conversion?


Thanks!
Yimin


At 09:13 AM 9/14/2004 +1000, Andrew Bartlett wrote:
>On Tue, 2004-09-14 at 08:13, Yimin Chen wrote:
> > Hi Andrew,
> >
> >
> > I still have some doubt about the ntlm_auth tool, sorry for posting so
> > many questions. Could you please clarify them for me?
> >
> >
> > 1) I see ntlm_auth has option to specify the NT/LM responses to get user
> > authenticated. But if we don't parse the handshakes, but just handover
> > to ntlm_auth tool, we won't even know which user we are authenticating.

>
>This is for use in different protocols, such as MSCHAP (used in PPP),
>where we are given the username, NT and LM responses separately. This
>is not the case for the 'blob' based form of NTLMSSP we find in HTTP.
>
> > So we still need to do some parsing to get username, domain, type of
> > message, etc, right? Or anything after "Proxy Authorization: NTLM "
> > should be passed to ntlm_auth? I am a little confused.

>
>Have a read of:
>
>http://samba.org/ftp/unpacked/lorike..._ntlm_winbind/
>
>and
>
>http://samba.org/ftp/unpacked/lorikeet/trunk/patches/
>
>You will see that when ntlm_auth is finished, it will tell you which
>user was authenticated.
>
> > 2) When you say "blob", is the encoded string inside the authentication
> > header you are referring to? Is there any document about NTLMSSP that I
> > should read to understand it better? The only thing I found right now is
> > from Microsoft site:
> >
> > "NTLMSSP, whose authentication service identifier is RPC_C_AUTHN_WINNT,
> > is a security support provider that is available on all versions of
> > DCOM. It uses the Microsoft=C2=AE Windows NT=C2=AE LAN Manager (NTLM)=

protocol for
> > authentication."

>
>There is actually quite a bit of information about NTLMSSP around -
>start with http://davenport.sf.net/ntlm.html and then read the
>references.
>
>Andrew Bartlett
>
>--
>Andrew Bartlett abartlet@samba.org
>Authentication Developer, Samba Team http://samba.org
>Student Network Administrator, Hawker College abartlet@hawkerc.net