[PATCH] Add winbind-backed NTLMSSP support to Cyrus-SASL

Rob Siemborski rjs3 at andrew.cmu.edu
Tue Jan 6 15:52:00 GMT 2004

On Wed, 31 Dec 2003, Andrew Bartlett wrote:

> > > The plugin is designed to use ntlm_auth over a stdio interface,
> > > because as part of Samba, it is GPL'ed.  The plugin provides a client,
> > > and an server implementation, but can only proxy it's server-side (I
> > > can provide a mode that allows for local passwords if it is required).
> > >
> > > Current Samba 3.0 CVS is required to find the NTLMSSP client code exposed.
> >
> > Here is my opinion, Rob's *may* differ:
> >
> > Having support for all of the latest NTLMSSP stuff is a great idea, but
> > I don't think we want to have yet another dependency for Cyrus SASL,
> > especially unreleased Samba code.
> This will be in Samba 3.0.2, which I expect to be released in a
> reasonalbly short timeframe due to issues in 3.0.1 (but the rest is up
> to the release manager)

Ok: Here's my take on the NTLM changes.  If we were to accept this, I'd
want to accept it as another alternative.  I don't want to suddenly
require anyone who is using our NTLM plugin to have to install SAMBA.  I
also don't want to remove the ability to support NTLM from the same
password store that we server other mechanisms from.  So, I'm willing to
take a patch that adds an alternate way to compile the NTLM plugin, but
not one that replaces what we currently do (and not by default).

> I was very pleased to see what appears to be a reasonably mature
> NTLMSSP implemenation.  However, a few things stood out - common
> errors in most of the NTLMSSP implentations I have seen:

I'd be very interested to see patches that fix all of these internally ;)

> > I also think that being able to use passwords that are stored in an
> > auxprop plugin is mandatory as there might be sites which want to
> > support MS clients but don't have an MS server to proxy to.
> They can always use a Samba server :-)

Then they have to maintain separate password stores for their NTLM clients
and for their DIGEST-MD5 clients.  I don't think this is the direction we
want to head.

> But seriously, if it is required, we can add a callback.

I just don't want to add the required dependency, really.

> > > Patch against current SASL CVS, but my testing was actually with 2.1.15
> >
> > I wanted to take a look at your code, but this patch does not apply
> > cleanly to CVS -- only 1 of 7 hunks succeeds.
> I'll try again on the patch.
> http://hawkerc.net/staff/abartlet/ntlm_sasl.diff

As far as the GSS-SPNEGO stuff is concerned, it looks very similar to the
NTLM changes, just with different parameters passed to ntlm_auth.  Am I
missing something?

Perhaps it makes sense to have a "samba" plugin that supports both NTLM
and GSS-SPNEGO via ntlm_auth, and is built if --with-samba is supplied.
In this case, we do not build the original NTLM plugin.


Rob Siemborski * Andrew Systems Group * Cyert Hall 207 * 412-268-7456
Research Systems Programmer * /usr/contributed Gatekeeper

More information about the samba-technical mailing list