i _would_ announce this on the samba mailing lists but the samba team have placed some rather fascist censorship in place, and consider any posting that i make to any samba.org addresses to be "net abuse".

i've just modified winbindd (written in 2000 by tim and andrew) to be able to use it to do NTLM "challenge response" authentication.

i also wrote a small library, containing two functions, which could be used by absolutely any project: they take a user+pass+domain, or a user+domain+challenge+responses.

the functions don't care where your PDC is: it could be on the local machine, under which circumstances the back-end (winbindd) will adjust accordingly and save you some network traffic.

both functions return a "blob" which is a NET_USER_INFO_3 structure, which contains valuable information - in particular, it contains the session key, but also it contains the equivalent of uid+gid+secondary groups: namely, the primary user rid, primary group rid, and secondary group SIDs etc. that the user is in.

[for the benefit of the wine people: this information is essential for doing things like "ImpersonateNamedPipeClient" and "RpcImpersonateClient" in Wine / ReactOS, if the authentication being performed is to have any "meaning", as it's what gets passed to SeAccessCheck(). you can always of course return stub data and you can always have an implementation of SeAccessCheck return "ok"...]

samba tng cvs can be obtained via www.samba-tng.org/cvs.html and freedce cvs from http://sf.net/projects/freedce.

you can test the new interface by compiling and running bin/winbindauthtest - you must have a user of "test" with a password of "test".

i may have one more thing to do - add "NamedPipe" security context "inheritance" to the client-side libraries in FreeDCE, but to be honest i don't think it's all that essential / there going to be a whopping big demand for it.

l.