[PATCH] Add winbind-backed NTLMSSP support to Cyrus-SASL

Ken Murchison ken at oceana.com
Wed Dec 31 17:49:45 GMT 2003

Andrew Bartlett wrote:

> Windows authentication extends far beyond the CIFS protocol the Samba
> implements, but it only very recently that work has been done to catch
> up to Microsoft's extensions in this area.  This has caused many
> administrators pain and toil that their MS counterparts simply don't
> have.  For them, authentication 'just works', with single-sign-on and
> the lot.
> I have worked, for over a year, with the Squid development team, in
> extending NTLMSSP authentication to HTTP.  The squid team made a very
> good start (as I see Cyrus-SASL now has) in including a basic NTLMSSP
> implementation, and even providing a proxy-mechanism to authenticate
> against a Windows DC.  I extended on this base, providing the
> ntlm_auth tool, which allows them to perform this against winbind, and
> without having to understand NTLMSSP as anything more than BASE64 strings.
> This provides a much more reliable interface, as winbind is not only faster, 
> we can also prevent man-in-the-middle attacks.
> The attached patch provides this for Cyrus-SASL.  In the same was that
> Squid now uses Winbind, all Cyrus-SASL enabled applications can use
> Winbind (via ntlm_auth) to authenticate their users.  This provides
> the most current NTLMSSP implementation in the Open Source arena, as
> it is the one that we must maintain for Samba's internal use.
> The plugin is designed to use ntlm_auth over a stdio interface,
> because as part of Samba, it is GPL'ed.  The plugin provides a client,
> and an server implementation, but can only proxy it's server-side (I
> can provide a mode that allows for local passwords if it is required).
> Current Samba 3.0 CVS is required to find the NTLMSSP client code exposed.

Here is my opinion, Rob's *may* differ:

Having support for all of the latest NTLMSSP stuff is a great idea, but 
I don't think we want to have yet another dependency for Cyrus SASL, 
especially unreleased Samba code.

I also think that being able to use passwords that are stored in an 
auxprop plugin is mandatory as there might be sites which want to 
support MS clients but don't have an MS server to proxy to.

Can you point me to any references to Winbind, so I at least know what 
we are missing?

> Patch against current SASL CVS, but my testing was actually with 2.1.15

I wanted to take a look at your code, but this patch does not apply 
cleanly to CVS -- only 1 of 7 hunks succeeds.

Kenneth Murchison     Oceana Matrix Ltd.
Software Engineer     21 Princeton Place
716-662-8973 x26      Orchard Park, NY 14127
--PGP Public Key--    http://www.oceana.com/~ken/ksm.pgp

More information about the samba-technical mailing list