The Samba-Bugzilla – Bug 10007
Support [MS-SIP] §126.96.36.199 message authentication via ntlm_auth or otherwise
Last modified: 2014-07-06 11:04:50 UTC
See RFE filed against pidgin-sipe to use automatic NTLM authentication:
And in particular the following reply:
After studying soup-auth-ntlm.c I have come to conclusion that the
ntlm_auth approach only works for HTTP connections, because all you need
there are the raw NTLM challenge/response messages.
But M$ has extended the SIP protocol with a mandatory Message Integrity Code
(see [MS-SIP] , section 188.8.131.52 for details). You can only generate and
verify MIC's if you have the Exported Session Key, which is generated during
the NTLM authentication message (see src/core/sip-sec-
ntlm.c:sip_sec_ntlm_gen_authenticate(), e.g. client_sign_key).
As far as I can tell Samba does not offer a GSSAPI to winbind, which would
be required for SIPE to be able to use the cached credentials.
I'm largely ignorant of the details and playing man-in-the-middle here... please could we make this work?
I think this is actually possible since commit fe348fdb2 enabled us to get the session key. Not that it works with cached credentials, qv.