Samba 3.0a19 breaks winbind helpers?

Andrew Bartlett abartlet at
Sun Sep 8 08:52:00 GMT 2002

Henrik Nordström wrote:
> On Sun, 8 Sep 2002, Andrew Bartlett wrote:
> > The current stable code uses the interface Squid expects - that's in
> > Samba 2.2.4 and above.  Samba 2.2 is in feature freeze, and I would not
> > expect any changes to this interface, In particular becouse of it's use
> > by squid.
> Ok. So the specification is simply that Samba-2.2, version 2.2.4 or later
> is what must be used. In Samba-3 there will be other means.
> > The specifications are:
> >  - Use Samba's NTLMSSP code.  Needs seperation from the surrounding code
> > in clispnego.c and smbd/sesssetup.c
> >  - Also needs 'ascii' support added.  Currently all-unicode.
> Meaning you do not support clients nost supporting unicode yet?

The only CIFS/SMB client that does NTLMSSP is Win2k, and it does
unicode.  The other clients just use standard Session Setups, where we
support ASCII and Unicode as negotiated (in HEAD, ASCII/multibyte only
in 2.2)

> >  - Seperate Samba-supplied binary, called ntlm_auth
> >  - Use a Popt interface, so that we can specify --squid-2.5 for the
> > current squid protocol etc.
> very good idea.
> As you already are mixing plaintext into the mix I would propose a single
> helper for both plaintext, ntlmssp and raw ntlm.


>   --squid-2.4
>         login<SP>password[\r]\n, support spaces in the password field
>   --squid-2.4-long-usernames
>         login<SP>password[\r]\n, support spaces in the login field
>   --squid-2.5-basic
>         login<SP>password[\r]\n, URL encoded fields

For these I would much prefer (unless you have a very good reason) to
just use PAM.  That way we keep the number of interfaces down.  (We have
to maintain the PAM suff regardless).

But if it just 'falls out' of the design (we will want one way to do
plaintext, just for testing sanity) then it's fine.

>   --squid-2.5-ntlmssp
>         the stateful NTLMSSP helper protocol of Squid-2.5
>   --squid-2.6-ntlmssp
>         the NTLMSSP helper protocol of Squid-2.6 (whatever that will look
> like)
> or perhaps simply instead of --squid-2.5-basic and --squid-2.6-ntlm use
> generic names not tied to squid if these protocols are deemed generically
> acceptable, like
>   --plaintext
>   --ntlmssp

For now, you guys 'own' the protocol but I don't mind either way.

> which is a bit too many options, so there should probably be a single
> option with the helper protocol to use as argument..
>   --helper-protocol=[one of the above]
> >  - Have a command-line challange-response interface
> >  - takes --username=abartlet  --domain=FOO  --lm-resp=ASDGADF (hex
> > encoded, 24 bytes)  --nt-resp=AADFAFG1232  (hex encoded >=24 bytes)
> Shouldn't there be a --challenge=... option in this command line "raw
> NTLM" mode? And who should generate the challenge bytes?

Indeed there should - nice catch :-).  The user should generate them in
this case.

> A note of warning: Many "first try" applications using the above command
> line mode is likely to fail on usernames (or domains?) with spaces in
> them..

This program is intended to be invoked directly by external programs, so
they can pass in the string directly into the right argv buffer.  Shell
users can quote.

> What about a also supporting a stream oriented NTLM mode?

I don't see the need - most applications doing this so frequently that
they need a stream mode are doing NTLMSSP anyway.  Less interfaces

> NTLMv2 repsonses can be identified by their length, and do not need any
> additional data from the client, right?


> >  - returns NT_STATUS_... on stdout, 0 or 1 to exit code
> >  - Have a similar 'plaintext' inteface (option not to have password on
> > cmd line)
> >
> > The idea is that this can be a stable, long-term interface that Samba
> > can provide, to squid and other projects
> Great!
> > Any takers?
> In the raw NTLM mode, what about the session key (MD5(NT#) IIRC)? 
MD4(NT#) aka MD4(MD4(password))
> Will
> there be support from winbindd to have this returned? Needed for MSCHAPv2,
> remember?. This should obviously be restricted to applications running
> with a specific uid/group configured in smb.conf...  (use SO_PEERCRED to
> find out in winbindd)

That's what we need to do with a privileged pipe - the idea is to avoid
needing to add a dependency on SO_PEERCRED.

These would be requested by command line arguments. --nt-session-key
etc, and be returned on stdout, again HEX encoded.

Andrew Bartlett

Andrew Bartlett                                 abartlet at
Manager, Authentication Subsystems, Samba Team  abartlet at
Student Network Administrator, Hawker College   abartlet at

More information about the samba-technical mailing list