NTLM

Phil Mayers p.mayers at imperial.ac.uk
Thu Feb 23 00:36:57 CET 2006


Alan DeKok wrote:
> Phil Mayers <p.mayers at imperial.ac.uk> wrote:
>> Isn't libntlm client-side NTLM?
> 
>   It validates NTLM requests, and uses username/passwd to generate
> NTLM requests to send to a server.

Ok, different libntlm then. Have you got the URL handy?

> 
>> As far as I know, to execute the required RPCs you need a machine 
>> account
> 
>   Which Samba doesn't do.  Remember, Samba still only does NT4-style

I don't know what you mean by this. Samba can act as both a client and 
(member) server for win2k/win2k3 authentication methods (GSS-SPNEGO 
primarily) using machine account credentials acquired using that domains 
native protocols (kerberos+LDAP).

It can't be a domain controller for those protocols, but that does not 
seem to be relevant to the discussion? I'm sure we're talking about 
different things.

The point I am (badly) trying to communicate is that, with a microsoft 
domain controller (NT4, win2k, win2k3), to execute the RPC call required 
to validate an MS-CHAPv2 request and return the NT key you MUST have a 
machine account in the domain and you MUST be able to generate an 
appropriately formatted, secured and encrypted netlogon 
sam_network_logon call. The code for this is non-trivial, and since the 
user would have to configure and join the domain, and maintain the 
machine account credentials anyway, I'm not sure in reality it's much 
easier than installing samba.


> authentication for NTLM.  As I've said, I've watched it with tcpdump.
> 4 packets isn't a lot.

It's 4 packets for me too, but TCP segments on an already-open MSRPC 
pipe to a domain controller. The SMB packets are SMB-signed/sealed, the 
contents are a Netlogon SCHANNEL RPC which is itself further signed and 
sealed, and the variety and number of versions of a call and versions of 
structures passed as arguments are truly, truly bewildering.

Don't get me wrong, I'm not saying it's not doable or not a good idea, I 
just have a feeling it would be a lot of work having lurked around the 
samba-technical mailing list for a few years and spent more than a few 
hours debugging various issues.

> 
>> With latter versions of 
>> windows, 2k3 in particular, the amount of support required for even 
>> basic netlogon RPCs is large, as they've upped the security ante.
> 
>   So you avoid it by doing NT4 authentications.

I'm not sure what you mean by "NT4" authentications. There are many 
dialects of the various RPC protocols and channels, none particularly 
simple (by my measure at any rate). I'm not sure there are any non-MSRPC 
ways to check an MS-CHAPv2 request -

> 
>> Perhaps we could invert the problem - a small, easily auditable binary 
>> compiled for win32 that listens on a TCP port, uses some lightweight 
>> method to secure connections (maybe SRP?) and acts as an 
>> ultra-lightweight proxy for the required RPCs? Sites that want to can 
>> just run it as a service on the PDC or any member server. Sites large 
>> enough to forbid this are likely large enough to put the effort into 
>> running Samba.
> 
>   Sure.  But why do all that when you can just run a RADIUS server on
> the box?
> 
>   If FreeRADIUS had a "native" windows authentication module, then
> most of these issues could be avoided by running a full RADIUS
> remotely, and a small radius on the Windows box.

Interesting - I didn't realise FR compiled there (I guess it does under 
cygwin but TBH you've not got great access to the relevant APIs there).

> 
>   Alan DeKok.
> 
> - 
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html




More information about the Freeradius-Users mailing list