Stablising the winbind interface for squid's NTLM code

[Andrew Bartlett]

It has been discussed for a litle bit that the winbind interface used by
squid needs some stabiliy.  In particular, the squid team doesn't want
to have to chase every release (let along alpha) version just to make
their product work.

The initial suggestion was that we create a shared library and that this
would provide the stablity.  I talked to tridge about this, and was
reminded why shared libraries are such a pain in the first place... 
Tridge suggested that it would be better to have a standalone binary,
with a sane, machine-parseable interface....

As such, my proposal is that the Squid helper protocol form the basis
for this interface, and that code implementing this protocol (or a
compatible derivitive of it) should be included in future samba
releases.

Being a seperate execuable, licencing issues are overcome (not an issue
for squid, but we
can now allow the same thing for apache).  I hope that we can also use
the same NTLMSSP implementation inside Samba - which should ensure its
maintainence into the future.

Conceptually, it would be a simple code import from squid's current
helper's directory.  In practice, a lot of the code will need to be
reoganised and rewritten (simply due to differences between the
projects).  In particular, I would like to leverage tridge's RPC
encoder/decoder, and try to get a relitivly simple code-path going.

One change I would make:  Allow one helper to issue a challange, and
another to pick it up.  This could be done by sending the second helper
the challange packet, with a tag to say 'pretend you sent this'.

How does this sound?

Andrew Bartlett
-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net