Open GoogleCodeExporter opened 8 years ago
Rats, this is an Enhancement, not a Defect, but I can't change it...
Anyway, I've started work on an implementation using a local git mirror...
I've also started producing unit tests that should cover the client and server
sides
Original comment by dav...@j5int.com
on 22 Jan 2009 at 9:36
I am making this a wontfix for now. It is a really neat feature, but it would
take me
too much time. If you or anyone else wants to work on this feature, I can give
you
access to the repository.
Original comment by Matthijs.Mullender
on 29 Jan 2009 at 8:48
OK, I'm actively working on it, and have code in my svn repository (see
http://trac.sjsoft.com/browser/upstream/python-ntlm/ntlm - the new code that
supports
client and server is in ntlm2, and there are generic tests in test_ntlm)
The trouble is I've refactored lots of stuff as an experiment, using ctypes. I'm
quite sure that you may not like that approach, but it makes it easier for me
for
now, and could be converted back to struct packing later.
Would it be possible to give me repository access on the understanding that
I'll work
on this in a branch? At least that would make all the related code live in one
place...
Original comment by dav...@j5int.com
on 29 Jan 2009 at 8:55
I'm working on this in the new clientserver branch
Original comment by dav...@j5int.com
on 29 Jan 2009 at 3:15
Yeah this would be cool for sure - great to see you guys are working on this
stuff!
I'm not even sure that I necessarily need a server implementation of NTLM
actually...
just to check cleartext passwords against hashes pwdumped from 2000/3/8 servers
which
are in what... MD4 format? Is there anything special that needs to be done
beyond
hashing the cleartext and comparing it?
Sam
Original comment by s...@samj.net
on 1 Feb 2009 at 3:59
The current clientserver branch now contains a working basic NTLM2 server, that
has
been tested with Internet Explorer...
duncancbennett is managing this - we need to complete testing, and then at some
stage
we'll need to discuss whether this can be merged with the main branch etc
Original comment by dav...@j5int.com
on 24 Feb 2009 at 11:54
We now have:
* Support for ntlm v1 and v2
* Support for client and server operation
* A sample server that can be used for testing
* all the tests passing
This of course amounts to a large rewrite of sections of the code, so we need to
clean things up and discuss how/if this could be merged onto trunk.
Original comment by dav...@j5int.com
on 4 Mar 2009 at 1:42
How easily can this be integrated into webframeworks like Django, Trac and
others?
Original comment by alok.bis...@gmail.com
on 4 Mar 2009 at 8:32
I will have to look into integration into Django and other webframeworks. At the
moment, I've only built the simple cherrypy example and I'm looking into
integrating
the NTLMServerBase class into our own code.
However, I don't want to make the mistake of assuming that the current
NTLMServerBase
class fits all cases only to land up reintegrating a series of changes later
on. So
I'll take a look at Django and see how things work.
Also any comments or suggested improvements are more than welcome.
Original comment by duncancb...@googlemail.com
on 5 Mar 2009 at 9:22
Oh and I should add that the current server implementation does not yet generate
session keys. At the moment I'm specifically focusing on the case of a
connection
oriented NTLM over HTTP server implementation with no signing or sealing of
messages.
Original comment by duncancb...@googlemail.com
on 5 Mar 2009 at 9:26
I've just discovered that python-win32 already handles NTLM, which makes what's
been
done so far redundant. Especially since I've not yet resolved how to access the
Domain Controller using NetLogon.
So if you've read this far don't make my mistake :) Take a look at
sspi.ServerAuth in
python-win32. If you download the source code you'll find a simple NTLM
implementation in win32/Demos/security/sspi/socket_server.py
Original comment by duncancb...@googlemail.com
on 13 Mar 2009 at 12:55
But what about Unices? Is there an equivalent for sspi on say Linux?
Original comment by alok.bis...@gmail.com
on 13 Mar 2009 at 9:44
I'm not aware of one but I'm only expecting to need to send NTLM server side
messages
from a windows machine.
Original comment by duncancb...@googlemail.com
on 16 Mar 2009 at 7:36
Re comment 12: For Unices, the implementation in this branch successfully
provides a
server-side NTLM layer. However it will not integrate with a Windows Domain
Controller to provide single sign on.
Original comment by dav...@j5int.com
on 17 Mar 2009 at 7:18
David,
Can you please explain what features the server-side NTLM layer provides? Also,
can
you please elaborate on what the comment "not integrate with a Windows Domain
Controller to provide single sign on" mean?
Does it mean that a website running Python server using python-ntlm branch
code, on
an IE client will not provide seamless (without a username/password login box)
authentication? The CIFS Java library (http://jcifs.samba.org/) does provide
seamless
authentication.
Is something similar possible in (pure?) Python?
Original comment by alok.bis...@gmail.com
on 21 Mar 2009 at 11:01
The current code merely provides an HTTP authentication mechanism that verifies
a
hash of a password for a given user. You need to store the username and password
locally for the Python server to access - it can't pass the authentication
details
through to the Windows domain controller to verify, which is what you can
accomplish
using the sspi code (this is because we only receive a hash of the password, and
haven't implemented the protocol you need to talk to the domain controller). So
you
can provide what appears to be seamless single sign on, but only by duplicating
the
windows usernames and passwords in a config file for python.
As far as I can see this seems to be what jcifs is doing as well, but it's
probably
integrating with SAMBA rather than the Windows domain controller, and I haven't
looked at it in detail.
I hope that makes sense - duncancbennett knows more of the details.
Original comment by dav...@j5int.com
on 23 Mar 2009 at 8:37
In reference to David's comment above, I'll try to give a bit more detail. When
I was
writing the code, my goal all along was to get python using NTLM in a windows
environment. An issue which I kept deferring was the connection to the Domain
Controller. When I eventually looked into this, it became clear that I would
need
access to NetLogon (which would envolve a lot more work). After further
investigation
I discovered that in Windows I should just have been using python-win32 in any
case.
If all you want is an easy way to get single-sign on for IE clients under unix,
then
the code already handles this. However
NTLMClientServer.create_session_keys(...) is
not implemented so signing and sealing is not supported.
The branch contains a sample server, which implements the required
NTLMServerBase
class methods in a very simple way. As David says, you'll need to work out how
you'll
access client names passwords and pass this information through from within the
"get_authenticated_response" method of "NTLMServerBase".
Original comment by duncancb...@googlemail.com
on 23 Mar 2009 at 9:41
Hi all, may I ask what happen with the server-side NTLM feature? I've tried to
locate the code and it doesn't seem to be in the repository, and the external
link is dead.
Any ideas on where to get that code; or any other server-side NTLM
implementation?
Original comment by andres.riancho@gmail.com
on 28 Nov 2013 at 5:05
Original issue reported on code.google.com by
dav...@j5int.com
on 22 Jan 2009 at 9:35