Samba 3.0 and ntlm_auth

Andrew Bartlett abartlet at samba.org
Sun May 11 05:17:12 GMT 2003 

Just a quick note to describe what 'ntlm_auth' is in the Samba 3.0
sources.

After working with the Squid team on wb_ntlmauth, I soon decided that I
wanted to use our NTLMSSP code to create 'NTLMSSP done right', without
structure hacks and with one place to get the bugs right :-).

(As you know, Samba maintains it's NTLMSSP code for SMB, and LDAP
already).

The result was a utility called ntlm_auth.  It handles Squid 2.4 and 2.5
basic authentication, and Squid 2.5 NTLMSSP authentication.

It is tied to winbind, and used the 'privileged pipe' to access the
challenge/response code.  (no more special configure options).  This is
usually in samba's LOCKDIR, and the permissions should be changed to
allow squid to use it.

It implements the squid protocols, but a 'midgard' module is under
development, with an apache 2 module to follow.

Usage:

ntlm_auth --helper-protocol=squid-2.5-basic
			    squid-2.4-basic
			    squid-2.5-ntlmssp

If a negotiate packet is send for a YR call, then it uses that.  It
needs winbind to maintain some kind of state for it, but I'm quite happy
for that to be as little as 'this is connection 5' - which would reduce
the need for 20 helpers to be in memory at once.  Winbind is a single
thread, so having multiple helpers doesn't actually achieve anything.

It doesn't actually use the protocol letters for much, instead decoding
the NTLMSSP response to figure it out.

Samba 3.0's winbindd is also getting better, with recent work reducing
the number of packets we need to send to the DC to just 2, and reducing
the DC's internal lookups at the same time.

My hope is that in the long term, squid's wb_ntlmauth can 'go away', so
we don't have external dependencies on the winbind pipe protocol.

Of interest to developers is it's '--diagnosis' option, which will
attempt a large number of authentication combinations, and tells you
what the server will support.

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20030511/de930697/attachment.bin

More information about the samba-technical mailing list