Re: NTLM

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Sun, 24 Feb 2002 02:36:47 +0100

On Sunday 24 February 2002 01:58, Robert Collins wrote:

> We like confusion. Actually, I'm confused here. Line 287 of
> NTLMSSP/auth_ntlm.c is decoded = base64_decode(buf + 3); Where do
> you see uudecode calls?

In the other two helpers (fakeauth and no_auth).

I am writing another simple helper doing NTLM locally using smbpasswd
files. Thus I felt the fakeauth helper was a better startingpoint..

> > b) Why isn't the negotiate packet sent to the helper? Doesn't the
> > DC need the users domain name to generate a correct challenge in
> > case of trust relations or multi-domain configurations?
>
> No. The authenticating workstation uses the secure channel to pass
> the triple (challenge,result,user) to a domain controller of it's
> domain, which then passes the same to the correct domain if the
> user is not in it's domain.

So you are saying that a member server in a NT network can ask to
verify (challenge,NT-response,user,domain) with their own choice of
challenge because the DC knows the station by it's account?

Makes me wonder why there is a negotiate packet in the first place
however. It must have some function or else they would not put it
there, would they?. But it does explain the need of all those
computer and trust accounts and makes some sense from an
architectural point of view.

Do you know where can I find more info about this secure channel
authentication method? I have another related project where I need to
implement MSCHAPv2 to NT domains, and I strongly suspect MS RAS
servers is utilising functions in this secure channel to perform
MSCHAPv2. MSCHAPv2 (and MS-CHAP) uses MD4(NT#) as authentication key.

Regards
Henrik
Received on Sat Feb 23 2002 - 18:35:50 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:14:48 MST