> -----Original Message-----
> From: Henrik Nordstrom [mailto:hno@marasystems.com]
> Sent: Sunday, February 24, 2002 11:05 AM
> To: Squid Developers Mailinglist
> Subject: NTLM
>
>
> I am looking into the NTLM helper protocol, and there is some things
> that got me curious:
>
> a) In the documentation you say that the parameters are base64
> encoded, but yet in the helpers you are using uudecode to decode the
> received parameters...
We like confusion. Actually, I'm confused here. Line 287 of NTLMSSP/auth_ntlm.c is decoded = base64_decode(buf + 3); Where do you see uudecode calls?
> b) Why isn't the negotiate packet sent to the helper? Doesn't the DC
> need the users domain name to generate a correct challenge in case of
> trust relations or multi-domain configurations?
No. The authenticating workstation uses the secure channel to pass the triple (challenge,result,user) to a domain controller of it's domain, which then passes the same to the correct domain if the user is not in it's domain.
So for the NTLMSSP helper, the authenticating workstation _is_ a domain controller as we are not using a secure channel ourselves (and this is also why we can't generate our own challenges).
For the winbindd helper, the local SAMBA code is the authenticating workstation, and thus gets to set the challenge itself.
Does that help?
Rob
Received on Sat Feb 23 2002 - 17:58:42 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:14:48 MST