Support NTLM server-side

[GoogleCodeExporter]

I'm needing to provide NTLM authentication to clients from a server.

This library could in theory support clients, proxies and servers, using
common classes for the message structures etc.

Original issue reported on code.google.com by dav...@j5int.com on 22 Jan 2009 at 9:35

[GoogleCodeExporter]

Rats, this is an Enhancement, not a Defect, but I can't change it...

Anyway, I've started work on an implementation using a local git mirror...

I've also started producing unit tests that should cover the client and server 
sides

Original comment by dav...@j5int.com on 22 Jan 2009 at 9:36

[GoogleCodeExporter]

I am making this a wontfix for now. It is a really neat feature, but it would 
take me
too much time. If you or anyone else wants to work on this feature, I can give 
you
access to the repository.

Original comment by Matthijs.Mullender on 29 Jan 2009 at 8:48

• Changed state: WontFix
• Added labels: Type-Enhancement
• Removed labels: Type-Defect

[GoogleCodeExporter]

OK, I'm actively working on it, and have code in my svn repository (see
http://trac.sjsoft.com/browser/upstream/python-ntlm/ntlm - the new code that 
supports
client and server is in ntlm2, and there are generic tests in test_ntlm)

The trouble is I've refactored lots of stuff as an experiment, using ctypes. I'm
quite sure that you may not like that approach, but it makes it easier for me 
for
now, and could be converted back to struct packing later.

Would it be possible to give me repository access on the understanding that 
I'll work
on this in a branch? At least that would make all the related code live in one 
place...

Original comment by dav...@j5int.com on 29 Jan 2009 at 8:55

[GoogleCodeExporter]

I'm working on this in the new clientserver branch

Original comment by dav...@j5int.com on 29 Jan 2009 at 3:15

• Changed state: Started

[GoogleCodeExporter]

Yeah this would be cool for sure - great to see you guys are working on this 
stuff!

I'm not even sure that I necessarily need a server implementation of NTLM 
actually...
just to check cleartext passwords against hashes pwdumped from 2000/3/8 servers 
which
are in what... MD4 format? Is there anything special that needs to be done 
beyond
hashing the cleartext and comparing it?

Sam

Original comment by s...@samj.net on 1 Feb 2009 at 3:59

[GoogleCodeExporter]

The current clientserver branch now contains a working basic NTLM2 server, that 
has
been tested with Internet Explorer...

duncancbennett is managing this - we need to complete testing, and then at some 
stage
we'll need to discuss whether this can be merged with the main branch etc

Original comment by dav...@j5int.com on 24 Feb 2009 at 11:54

[GoogleCodeExporter]

We now have:
 * Support for ntlm v1 and v2
 * Support for client and server operation
 * A sample server that can be used for testing
 * all the tests passing

This of course amounts to a large rewrite of sections of the code, so we need to
clean things up and discuss how/if this could be merged onto trunk.

Original comment by dav...@j5int.com on 4 Mar 2009 at 1:42

[GoogleCodeExporter]

How easily can this be integrated into webframeworks like Django, Trac and 
others?

Original comment by alok.bis...@gmail.com on 4 Mar 2009 at 8:32

[GoogleCodeExporter]

I will have to look into integration into Django and other webframeworks. At the
moment, I've only built the simple cherrypy example and I'm looking into 
integrating
the NTLMServerBase class into our own code.

However, I don't want to make the mistake of assuming that the current 
NTLMServerBase
class fits all cases only to land up reintegrating a series of changes later 
on. So
I'll take a look at Django and see how things work.

Also any comments or suggested improvements are more than welcome.

Original comment by duncancb...@googlemail.com on 5 Mar 2009 at 9:22

[GoogleCodeExporter]

Oh and I should add that the current server implementation does not yet generate
session keys. At the moment I'm specifically focusing on the case of a 
connection
oriented NTLM over HTTP server implementation with no signing or sealing of 
messages.

Original comment by duncancb...@googlemail.com on 5 Mar 2009 at 9:26

[GoogleCodeExporter]

I've just discovered that python-win32 already handles NTLM, which makes what's 
been
done so far redundant. Especially since I've not yet resolved how to access the
Domain Controller using NetLogon.

So if you've read this far don't make my mistake :) Take a look at 
sspi.ServerAuth in
python-win32. If you download the source code you'll find a simple NTLM
implementation in win32/Demos/security/sspi/socket_server.py

Original comment by duncancb...@googlemail.com on 13 Mar 2009 at 12:55

[GoogleCodeExporter]

But what about Unices? Is there an equivalent for sspi on say Linux?

Original comment by alok.bis...@gmail.com on 13 Mar 2009 at 9:44

[GoogleCodeExporter]

I'm not aware of one but I'm only expecting to need to send NTLM server side 
messages
from a windows machine.

Original comment by duncancb...@googlemail.com on 16 Mar 2009 at 7:36

[GoogleCodeExporter]

Re comment 12: For Unices, the implementation in this branch successfully 
provides a
server-side NTLM layer. However it will not integrate with a Windows Domain
Controller to provide single sign on.

Original comment by dav...@j5int.com on 17 Mar 2009 at 7:18

[GoogleCodeExporter]

David,

Can you please explain what features the server-side NTLM layer provides? Also, 
can
you please elaborate on what the comment "not integrate with a Windows Domain
Controller to provide single sign on" mean?

Does it mean that a website running Python server using python-ntlm branch 
code, on
an IE client will not provide seamless (without a username/password login box)
authentication? The CIFS Java library (http://jcifs.samba.org/) does provide 
seamless
authentication.

Is something similar possible in (pure?) Python?

Original comment by alok.bis...@gmail.com on 21 Mar 2009 at 11:01

[GoogleCodeExporter]

The current code merely provides an HTTP authentication mechanism that verifies 
a
hash of a password for a given user. You need to store the username and password
locally for the Python server to access - it can't pass the authentication 
details
through to the Windows domain controller to verify, which is what you can 
accomplish
using the sspi code (this is because we only receive a hash of the password, and
haven't implemented the protocol you need to talk to the domain controller). So 
you
can provide what appears to be seamless single sign on, but only by duplicating 
the
windows usernames and passwords in a config file for python.

As far as I can see this seems to be what jcifs is doing as well, but it's 
probably
integrating with SAMBA rather than the Windows domain controller, and I haven't
looked at it in detail.

I hope that makes sense - duncancbennett knows more of the details.

Original comment by dav...@j5int.com on 23 Mar 2009 at 8:37

[GoogleCodeExporter]

In reference to David's comment above, I'll try to give a bit more detail. When 
I was
writing the code, my goal all along was to get python using NTLM in a windows
environment. An issue which I kept deferring was the connection to the Domain
Controller. When I eventually looked into this, it became clear that I would 
need
access to NetLogon (which would envolve a lot more work). After further 
investigation
I discovered that in Windows I should just have been using python-win32 in any 
case.

If all you want is an easy way to get single-sign on for IE clients under unix, 
then
the code already handles this. However 
NTLMClientServer.create_session_keys(...) is
not implemented so signing and sealing is not supported.

The branch contains a sample server, which implements the required 
NTLMServerBase
class methods in a very simple way. As David says, you'll need to work out how 
you'll
access client names passwords and pass this information through from within the
"get_authenticated_response" method of "NTLMServerBase".

Original comment by duncancb...@googlemail.com on 23 Mar 2009 at 9:41

[GoogleCodeExporter]

Hi all, may I ask what happen with the server-side NTLM feature? I've tried to 
locate the code and it doesn't seem to be in the repository, and the external 
link is dead.

Any ideas on where to get that code; or any other server-side NTLM 
implementation?

Original comment by andres.riancho@gmail.com on 28 Nov 2013 at 5:05