Samba 3.0 and ntlm_auth
abartlet at samba.org
Sun May 11 05:17:12 GMT 2003
Just a quick note to describe what 'ntlm_auth' is in the Samba 3.0
After working with the Squid team on wb_ntlmauth, I soon decided that I
wanted to use our NTLMSSP code to create 'NTLMSSP done right', without
structure hacks and with one place to get the bugs right :-).
(As you know, Samba maintains it's NTLMSSP code for SMB, and LDAP
The result was a utility called ntlm_auth. It handles Squid 2.4 and 2.5
basic authentication, and Squid 2.5 NTLMSSP authentication.
It is tied to winbind, and used the 'privileged pipe' to access the
challenge/response code. (no more special configure options). This is
usually in samba's LOCKDIR, and the permissions should be changed to
allow squid to use it.
It implements the squid protocols, but a 'midgard' module is under
development, with an apache 2 module to follow.
If a negotiate packet is send for a YR call, then it uses that. It
needs winbind to maintain some kind of state for it, but I'm quite happy
for that to be as little as 'this is connection 5' - which would reduce
the need for 20 helpers to be in memory at once. Winbind is a single
thread, so having multiple helpers doesn't actually achieve anything.
It doesn't actually use the protocol letters for much, instead decoding
the NTLMSSP response to figure it out.
Samba 3.0's winbindd is also getting better, with recent work reducing
the number of packets we need to send to the DC to just 2, and reducing
the DC's internal lookups at the same time.
My hope is that in the long term, squid's wb_ntlmauth can 'go away', so
we don't have external dependencies on the winbind pipe protocol.
Of interest to developers is it's '--diagnosis' option, which will
attempt a large number of authentication combinations, and tells you
what the server will support.
Andrew Bartlett abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team abartlet at samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20030511/de930697/attachment.bin
More information about the samba-technical