Stablising the winbind interface for squid's NTLM code

Steve Langasek vorlon at
Wed May 29 12:23:27 GMT 2002


On Sat, May 25, 2002 at 04:55:28PM +1000, Andrew Bartlett wrote:
> It has been discussed for a litle bit that the winbind interface used by
> squid needs some stabiliy.  In particular, the squid team doesn't want
> to have to chase every release (let along alpha) version just to make
> their product work.

> The initial suggestion was that we create a shared library and that this
> would provide the stablity.  I talked to tridge about this, and was
> reminded why shared libraries are such a pain in the first place... 
> Tridge suggested that it would be better to have a standalone binary,
> with a sane, machine-parseable interface....

> As such, my proposal is that the Squid helper protocol form the basis
> for this interface, and that code implementing this protocol (or a
> compatible derivitive of it) should be included in future samba
> releases.

> Being a seperate execuable, licencing issues are overcome (not an issue
> for squid, but we
> can now allow the same thing for apache).  I hope that we can also use
> the same NTLMSSP implementation inside Samba - which should ensure its
> maintainence into the future.

> Conceptually, it would be a simple code import from squid's current
> helper's directory.  In practice, a lot of the code will need to be
> reoganised and rewritten (simply due to differences between the
> projects).  In particular, I would like to leverage tridge's RPC
> encoder/decoder, and try to get a relitivly simple code-path going.

> One change I would make:  Allow one helper to issue a challange, and
> another to pick it up.  This could be done by sending the second helper
> the challange packet, with a tag to say 'pretend you sent this'.

By chance, do you have a reference handy for the Squid helper protocol?
An oft-requested feature for FreeTDS (an LGPL client library for MS SQL
and Sybase servers) is domain login support.  It would be nice to be
able to leverage the Samba team's work in the NTLMSSP department, rather
than reimplementing it from the ground-up.  Is there any chance that
this (or a) standalone binary might be useful for the client side of
NTLMSSP authentication?

Steve Langasek
postmodern programmer
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
Url :

More information about the samba-technical mailing list