<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Hi Oleg and Shimi.<br>
<br>
I did not describe problem correctly.<br>
<br>
This is not Linux sysadm problem.<br>
I am fixing application running on Debian,<br>
<br>
I will take Oleg's advice to see cntlm source.<br>
<br>
Today I was surprised by ldapsearch utility ( package ldap-utils)
which reports that are several authentication mechanism available on
AD server, <br>
like GSS-API, KERBEROS, OTP<br>
but it did not listed NTLM !!!<br>
<br>
<br>
on the other hand I see that ad browser from sysinternals suite
for windows do use NTLM ( wireshark sees it)<br>
<br>
<br>
So I am confused now :<br>
Can linux use NTLM as some backdoor method, or only windows can use
it?<br>
<br>
Perhaps NTLM plugin of openldap library is usable only on LDAP
server to authenticate windows clients?<br>
<br>
<br>
L.<br>
<br>
<br>
<div class="moz-cite-prefix">On 04/03/2015 00:12, shimi wrote:<br>
</div>
<blockquote
cite="mid:CAKnt4U-F=J08KKjnEfM-qXhoTmckCH1Z7zucuRXLZ6XDxYuWhA@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_extra"><br>
<div class="gmail_quote">On Tue, Mar 3, 2015 at 10:20 PM, Lev
Olshvang <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:lolshva@012.net.il" target="_blank">lolshva@012.net.il</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex"><br>
Hello Alll,<br>
<br>
<br>
Does anybody have example or can advice how to perform
NTLM authentication of Linux client toward Microsoft AD
service?<br>
<br>
<br>
I calledd ldap_ntlm_bind() to do the Job, but<br>
Wireshark can not fully recognize these message and prints
"mailformed"<br>
<br>
And following<br>
ldap_parse_ntlm_bind_result() returns with Authentication
error.<br>
<br>
<br>
Unfortunately these functions are not documented, perhaps
I pass wrong parameters.<br>
<br>
<br>
Actually I pass<br>
ldap_ntlm_bind(ld, dn, LDAP_AUTH_NTLM_REQUEST, cred, NULL,
NULL, msgidp);<br>
I put password in cred structure and user parameter as
part of dn string,<br>
like "user=NTDOMAIN\lev, cn=myhost,dn=com"<br>
<br>
<br>
Many thanks and Hag Sameah,<br>
<br>
</blockquote>
<div><br>
</div>
<div>Tried already the 'regular' way (<a
moz-do-not-send="true"
href="https://help.ubuntu.com/community/ActiveDirectoryWinbindHowto">https://help.ubuntu.com/community/ActiveDirectoryWinbindHowto</a>)
and saw if that works? Maybe the issue is not with your
code...<br>
<br>
</div>
<div>Not that I am sure what are you trying to do beyond
just authenticating (if it's just login or similar, why
really not with winbind through PAM?) - maybe I got it all
wrong :-)<br>
<br>
</div>
<div>IIRC, to use LDAP towards an AD server, it must be a
GlobalCatalog - you should make sure that is the case (as
well as the right port for the job, whether encryption is
used or not, etc etc.). But this is ancient history, so I
hope I am not misleading you.<br>
<br>
</div>
<div>-- Shimi<br>
</div>
<div><br>
</div>
</div>
<br>
</div>
</div>
</blockquote>
<br>
</body>
</html>