winbindd NTLMSSP helper

Andrew Bartlett abartlet at samba.org
Sun Sep 8 09:23:01 GMT 2002 

Henrik Nordström wrote:
> 
> On Sun, 8 Sep 2002, Andrew Bartlett wrote:
> 
> > For these I would much prefer (unless you have a very good reason) to
> > just use PAM.  That way we keep the number of interfaces down.  (We have
> > to maintain the PAM suff regardless).
> 
> I would prefer if there was a "direct" alternative, not requiring PAM.
> Mainly for simplicity of administration, but also because we have to
> support some systems not using PAM...

Yes, maintaining the squid stuff separate to the OS has it's advantages.

> Btw, is it at all possible to build winbindd on systems not supporting PAM
> and/or NSS?

Yes, but it might not be there by default.  Add --with-winbind in these
cases.

> > But if it just 'falls out' of the design (we will want one way to do
> > plaintext, just for testing sanity) then it's fine.
> 
> As the plaintext support will be needed anyway for testing I don't think
> adding a couple of stream protocols for it will be much of a deal.

It will just be a few extra helper functions, and a switch, so I suppose
that's fine.

> > For now, you guys 'own' the protocol but I don't mind either way.
> 
> Ok.
>
> > > What about a also supporting a stream oriented NTLM mode?
> >
> > I don't see the need - most applications doing this so frequently that
> > they need a stream mode are doing NTLMSSP anyway.  Less interfaces
> > again...
> 
> Right.
> 
> > That's what we need to do with a privileged pipe - the idea is to avoid
> > needing to add a dependency on SO_PEERCRED.
> 
> Either way is fine by me.
> 
> Note: You still need smb.conf options to specify the required privileges..
> instead of verifying with SO_PEERCRED this is then used to set the
> permissions of the privileged pipe when created by winbindd.

The current idea is that that privileged pipe would live in a
subdirectory of Samba's LOCKDIR.  The administrator would then be free
to set the privileges on the pipe directory, without smb.conf options. 
Clients would contact the 'normal' winbind pipe to locate the privileged
pipe, or there would be a symlink as /tmp/.winbind/priv-pipe.

Better ideas are most welcome...

> I'll try to collect all of this into a single document.

Thanks,

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net

More information about the samba-technical mailing list