Bug 10007 - Support [MS-SIP] §3.1.4.2 message authentication via ntlm_auth or otherwise
Summary: Support [MS-SIP] §3.1.4.2 message authentication via ntlm_auth or otherwise
Status: RESOLVED INVALID
Alias: None
Product: Samba 4.0
Classification: Unclassified
Component: Winbind (show other bugs)
Version: 4.0.6
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-07-10 14:29 UTC by David Woodhouse
Modified: 2014-07-06 11:04 UTC (History)
1 user (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description David Woodhouse 2013-07-10 14:29:11 UTC
See RFE filed against pidgin-sipe to use automatic NTLM authentication:
https://sourceforge.net/p/sipe/feature-requests/64/

And in particular the following reply:

    After studying soup-auth-ntlm.c I have come to conclusion that the
    ntlm_auth approach only works for HTTP connections, because all you need
    there are the raw NTLM challenge/response messages.

    But M$ has extended the SIP protocol with a mandatory Message Integrity Code
    (see [MS-SIP] , section 3.1.4.2 for details). You can only generate and 
    verify MIC's if you have the Exported Session Key, which is generated during 
    the NTLM authentication message (see src/core/sip-sec-
    ntlm.c:sip_sec_ntlm_gen_authenticate(), e.g. client_sign_key).

    As far as I can tell Samba does not offer a GSSAPI to winbind, which would
    be required for SIPE to be able to use the cached credentials.

I'm largely ignorant of the details and playing man-in-the-middle here... please could we make this work?
Comment 1 David Woodhouse 2014-07-05 22:00:58 UTC
I think this is actually possible since commit fe348fdb2 enabled us to get the session key. Not that it works with cached credentials, qv.