Samba 3.0a19 breaks winbind helpers?

Andrew Bartlett abartlet at
Sun Sep 8 01:31:01 GMT 2002

Henrik Nordstrom wrote:
> Haven't tested yet.. we are using 3.0a18 which seems to work fine as
> far as I can tell..

Thats probably from before I last played games with the interface :-)

> Lets hope we can get the versioning issue finally sorted out with the
> Samba team before Squid-2.6 (in at least 6 months I would guess)..
> For Squid-2.5 I guess we will have to speficy which Samba versions are
> known to work with the helpers.

The current stable code uses the interface Squid expects - that's in
Samba 2.2.4 and above.  Samba 2.2 is in feature freeze, and I would not
expect any changes to this interface, In particular becouse of it's use
by squid.

> Andrew: Do you think there will be fundamental changes to the winbindd
> API in the next 6 months, or do you think it will be sufficient for
> our purposes to just make use of new headers when there is a revised
> API?

Yes, there will be - I need to create a 'privilaged' pipe for squid to
use, so that we don't give arbitary users access to this resource. 
Hoever, this in in Samba 3.0 only - 2.2 will remian as it is, to avoid
breaking Squid.

To get current Samba 3.0 working should only *require* a new header, but
you might also want to fill in the 'workstation' feild, and allow long
challanges - this might be sufficient to get NTLMv2 going (or it might

That's why I'm so keen to sort out this helper issue.  If only I had the
time to implement it...

If sombody on the squid side wants to pick up this project, I'm more
than happy to give a hand.  

The specifications are:
 - Use Samba's NTLMSSP code.  Needs seperation from the surrounding code
in clispnego.c and smbd/sesssetup.c
  - Also needs 'ascii' support added.  Currently all-unicode.
 - Seperate Samba-supplied binary, called ntlm_auth
 - Use a Popt interface, so that we can specify --squid-2.5 for the
current squid protocol etc.  
 - Have a command-line challange-response interface
   - takes --username=abartlet  --domain=FOO  --lm-resp=ASDGADF (hex
encoded, 24 bytes)  --nt-resp=AADFAFG1232  (hex encoded >=24 bytes)
   - returns NT_STATUS_... on stdout, 0 or 1 to exit code
 - Have a similar 'plaintext' inteface (option not to have password on
cmd line)

The idea is that this can be a stable, long-term interface that Samba
can provide, to squid and other projects

Any takers?

> Regards
> Henrik
> On Sunday 08 September 2002 02.30, Jerry Murdock wrote:
> > Is anyone running these together successfully?
> >
> > Looks like the api change Andrew has been warning about happened.
> >
> > If so, I will update the FAQ, probably should be in release note as
> > well.
> >
> > Jerry

Andrew Bartlett                                 abartlet at
Manager, Authentication Subsystems, Samba Team  abartlet at
Student Network Administrator, Hawker College   abartlet at

More information about the samba-technical mailing list