Samba 3.0a19 breaks winbind helpers?
abartlet at samba.org
Sun Sep 8 01:31:01 GMT 2002
Henrik Nordstrom wrote:
> Haven't tested yet.. we are using 3.0a18 which seems to work fine as
> far as I can tell..
Thats probably from before I last played games with the interface :-)
> Lets hope we can get the versioning issue finally sorted out with the
> Samba team before Squid-2.6 (in at least 6 months I would guess)..
> For Squid-2.5 I guess we will have to speficy which Samba versions are
> known to work with the helpers.
The current stable code uses the interface Squid expects - that's in
Samba 2.2.4 and above. Samba 2.2 is in feature freeze, and I would not
expect any changes to this interface, In particular becouse of it's use
> Andrew: Do you think there will be fundamental changes to the winbindd
> API in the next 6 months, or do you think it will be sufficient for
> our purposes to just make use of new headers when there is a revised
Yes, there will be - I need to create a 'privilaged' pipe for squid to
use, so that we don't give arbitary users access to this resource.
Hoever, this in in Samba 3.0 only - 2.2 will remian as it is, to avoid
To get current Samba 3.0 working should only *require* a new header, but
you might also want to fill in the 'workstation' feild, and allow long
challanges - this might be sufficient to get NTLMv2 going (or it might
That's why I'm so keen to sort out this helper issue. If only I had the
time to implement it...
If sombody on the squid side wants to pick up this project, I'm more
than happy to give a hand.
The specifications are:
- Use Samba's NTLMSSP code. Needs seperation from the surrounding code
in clispnego.c and smbd/sesssetup.c
- Also needs 'ascii' support added. Currently all-unicode.
- Seperate Samba-supplied binary, called ntlm_auth
- Use a Popt interface, so that we can specify --squid-2.5 for the
current squid protocol etc.
- Have a command-line challange-response interface
- takes --username=abartlet --domain=FOO --lm-resp=ASDGADF (hex
encoded, 24 bytes) --nt-resp=AADFAFG1232 (hex encoded >=24 bytes)
- returns NT_STATUS_... on stdout, 0 or 1 to exit code
- Have a similar 'plaintext' inteface (option not to have password on
The idea is that this can be a stable, long-term interface that Samba
can provide, to squid and other projects
> On Sunday 08 September 2002 02.30, Jerry Murdock wrote:
> > Is anyone running these together successfully?
> > Looks like the api change Andrew has been warning about happened.
> > If so, I will update the FAQ, probably should be in release note as
> > well.
> > Jerry
Andrew Bartlett abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team abartlet at samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
More information about the samba-technical