trying to correctly handle account passwords via ldap

Andrew Bartlett abartlet at
Tue Mar 28 23:00:35 GMT 2006

On Wed, 2006-03-29 at 08:47 +1000, Luke Howard wrote:
> Hi Alan,
> >> As far as the NT security model is concerned, using the Net Logon
> >> secure channel (as ntlm_auth does) is the correct way to do pass-
> >> through authentication.
> >
> >  Can Samba expose an API to just that, rather than forking a program
> >to contact a program to contact a program that contacts the domain
> >controller?
> You might be able to use the winbindd API for this. Not my balliwick
> I'm afraid. But it's obviously possible in theory -- we have such a
> client API in one of our products.


The reason I created ntlm_auth was because Squid was (with my
encouragement) using this API.  It didn't work out well, as we tended to
make arbitary protocol changes, which required their helper to be

Instead, Samba now supplies ntlm_auth, with a more consistent interface.
Now, I see 3 options:
 - Try the ntlm-server-1 interface, and see if works for what is needed.
 - Design a new helper interface (just as the squid modes were designed
for squid, I'm happy to have new interfaces for other projects needs).
 - Create another winbind client shared library, with a stable shared
library interface to the variable socket API.

Andrew Bartlett

Andrew Bartlett                      
Authentication Developer, Samba Team 
Student Network Administrator, Hawker College
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: This is a digitally signed message part
Url :

More information about the samba-technical mailing list