trying to correctly handle account passwords via ldap
Andrew Bartlett
abartlet at samba.org
Tue Mar 28 23:00:35 GMT 2006
On Wed, 2006-03-29 at 08:47 +1000, Luke Howard wrote:
> Hi Alan,
>
> >> As far as the NT security model is concerned, using the Net Logon
> >> secure channel (as ntlm_auth does) is the correct way to do pass-
> >> through authentication.
> >
> > Can Samba expose an API to just that, rather than forking a program
> >to contact a program to contact a program that contacts the domain
> >controller?
>
> You might be able to use the winbindd API for this. Not my balliwick
> I'm afraid. But it's obviously possible in theory -- we have such a
> client API in one of our products.
Indeed.
The reason I created ntlm_auth was because Squid was (with my
encouragement) using this API. It didn't work out well, as we tended to
make arbitary protocol changes, which required their helper to be
recompiled.
Instead, Samba now supplies ntlm_auth, with a more consistent interface.
Now, I see 3 options:
- Try the ntlm-server-1 interface, and see if works for what is needed.
- Design a new helper interface (just as the squid modes were designed
for squid, I'm happy to have new interfaces for other projects needs).
- Create another winbind client shared library, with a stable shared
library interface to the variable socket API.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Student Network Administrator, Hawker College http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20060329/fdb9379b/attachment.bin
More information about the samba-technical
mailing list