NTLM

[Phil Mayers]

Alan DeKok wrote:
> Phil Mayers <p.mayers at imperial.ac.uk> wrote:
>> Download Samba, ensuring it is 3.0.21rc1 or later which includes the 
>> patch Alan talks about. Compile and install samba. Read the samba 
>> documentation. Configure your Samba server. Ensure winbindd and nmbd are 
>> running. Join the AD domain. Ensure samba is working ("wbinfo -D 
>> DOMAIN", "wbinfo -a username%pass" are good basic tests)
>>
>> Install FreeRadius, make sure it is 1.1.0 which will strip the machine 
>> name "host/name.domain.com" to "name". Make the following changes to the 
>> default config:
> 
>   Isn't that a whole heck of a lot of work?

Indeed

> 
>   I took a look at the packet traces going to the domain controller.
> It turns out that about 4 packets are necessary.  There's a libntlm
> that does the NTLM oddities, so all that needs to happen is for
> someone to write a minimal SMB client.

Isn't libntlm client-side NTLM?

As far as I know, to execute the required RPCs you need a machine 
account and thus at minimum must have a local secret store and support 
for the RPCs to join a domain (can be in a binary helper app), change 
the machine password (ditto executed from cron) and execute the basic 
netlogon stuff. Sadly, Microsoft being Microsoft, there's a surprisingly 
large amount to do for this to work reliably. With latter versions of 
windows, 2k3 in particular, the amount of support required for even 
basic netlogon RPCs is large, as they've upped the security ante.

rlm_smb seems to be just for validating plaintext passwords. With the 
older MS-CHAPv1 you could do something to just proxy the challenge and 
response to any SMB server, but that server (and the supporting domain) 
would have to have a lot of options that are turned off by default for 
security reasons these days. NTLMv2 and MS-CHAPv2 were designed as you 
know to eliminate that MITM potential.

But I can see what you're saying and agree - it's awfully heavyweight 
for basic users.

Perhaps we could invert the problem - a small, easily auditable binary 
compiled for win32 that listens on a TCP port, uses some lightweight 
method to secure connections (maybe SRP?) and acts as an 
ultra-lightweight proxy for the required RPCs? Sites that want to can 
just run it as a service on the PDC or any member server. Sites large 
enough to forbid this are likely large enough to put the effort into 
running Samba.

(I could actually see this being preferable to rlm_ldap for some cases 
if you permit a few other RPCs on the wire)

> 
>   The result would be a module like rlm_smb (which I can't make work
> anymore), but that replaces ntlm_auth, winbindd, and Samba.  It would
> be small, fast, and a lot easier to use.
> 
>   It requires time/energy to do the work, but there is demand for it
> in a number of places.

Indeed. Sadly my own experience of SMB protocols leads me to believe 
that anything less than Samba is likely to cause even more problems. It 
at least has the advantage of lots of expertise interoperating with 
years of diverse protocol options, the more modern of which can be 
arcane to say the lease.

It may be worth asking the guys on the samba-technical list if they have 
any suggestions.