Samba 3.0a19 breaks winbind helpers?

Henrik Nordström hno at marasystems.com
Sun Sep 8 08:33:00 GMT 2002 

On Sun, 8 Sep 2002, Andrew Bartlett wrote:

> The current stable code uses the interface Squid expects - that's in
> Samba 2.2.4 and above.  Samba 2.2 is in feature freeze, and I would not
> expect any changes to this interface, In particular becouse of it's use
> by squid.

Ok. So the specification is simply that Samba-2.2, version 2.2.4 or later
is what must be used. In Samba-3 there will be other means.

> The specifications are:
>  - Use Samba's NTLMSSP code.  Needs seperation from the surrounding code
> in clispnego.c and smbd/sesssetup.c
>  - Also needs 'ascii' support added.  Currently all-unicode.

Meaning you do not support clients nost supporting unicode yet?

>  - Seperate Samba-supplied binary, called ntlm_auth
>  - Use a Popt interface, so that we can specify --squid-2.5 for the
> current squid protocol etc. 

very good idea.

As you already are mixing plaintext into the mix I would propose a single 
helper for both plaintext, ntlmssp and raw ntlm.

  --squid-2.4
	login<SP>password[\r]\n, support spaces in the password field
  --squid-2.4-long-usernames
	login<SP>password[\r]\n, support spaces in the login field
  --squid-2.5-basic
	login<SP>password[\r]\n, URL encoded fields
  --squid-2.5-ntlmssp
	the stateful NTLMSSP helper protocol of Squid-2.5
  --squid-2.6-ntlmssp
	the NTLMSSP helper protocol of Squid-2.6 (whatever that will look 
like)

or perhaps simply instead of --squid-2.5-basic and --squid-2.6-ntlm use 
generic names not tied to squid if these protocols are deemed generically 
acceptable, like

  --plaintext
  --ntlmssp

which is a bit too many options, so there should probably be a single 
option with the helper protocol to use as argument..

  --helper-protocol=[one of the above]

>  - Have a command-line challange-response interface
>  - takes --username=abartlet  --domain=FOO  --lm-resp=ASDGADF (hex
> encoded, 24 bytes)  --nt-resp=AADFAFG1232  (hex encoded >=24 bytes)

Shouldn't there be a --challenge=... option in this command line "raw
NTLM" mode? And who should generate the challenge bytes?

A note of warning: Many "first try" applications using the above command
line mode is likely to fail on usernames (or domains?) with spaces in
them..

What about a also supporting a stream oriented NTLM mode?

NTLMv2 repsonses can be identified by their length, and do not need any
additional data from the client, right?

>  - returns NT_STATUS_... on stdout, 0 or 1 to exit code
>  - Have a similar 'plaintext' inteface (option not to have password on
> cmd line)
> 
> The idea is that this can be a stable, long-term interface that Samba
> can provide, to squid and other projects

Great!

> Any takers?

In the raw NTLM mode, what about the session key (MD5(NT#) IIRC)? Will
there be support from winbindd to have this returned? Needed for MSCHAPv2,
remember?. This should obviously be restricted to applications running
with a specific uid/group configured in smb.conf...  (use SO_PEERCRED to
find out in winbindd)

Regards
Henrik

More information about the samba-technical mailing list