the unused auth_samba4 check_ntlm_security

Andrew Bartlett abartlet at
Fri Jul 13 03:19:45 MDT 2012

On Fri, 2012-07-13 at 18:45 +1000, Andrew Bartlett wrote:
> On Fri, 2012-07-13 at 10:35 +0200, Volker Lendecke wrote:
> > On Fri, Jul 13, 2012 at 10:05:03AM +0200, Andrew Bartlett wrote:
> > > +/* 
> > > + * This hook is currently unused, as all NTLM logins go via the hooks
> > > + * provided by make_auth4_context_s4() below.
> > > + *
> > > + * This is only left in case we find a way that it might become useful
> > > + * in future.  Importantly, this routine returns the information
> > > + * needed for a NETLOGON SamLogon, not what is needed to establish a
> > > + * session.
> > > + */
> > 
> > What is the fudamental difference between this code and
> > pdb_ads/auth_netlogon? Those needed to go because they were
> > unused, but this can stay?
> > 
> > Please explain.
> Honestly, there isn't much difference, and I considered outright
> removing this particular chunk when I did the other work.  Today I just
> felt as folks were looking over the different modules, I would try and
> reduce the confusion by at least documenting this fact. 
> But you are totally correct, and with the bypass via the auth4_context,
> this code is unused, and as we don't have unit tests over auth modules,
> it is untested.  I also don't have any concrete ideas for a future use
> case.  It is entirely reasonable to request it be removed.  
> I'll do that tomorrow unless others feel a particular reason we should
> keep this.

Thinking about this some more, there is one interesting use case for the
auth_samba4 check_ntlm_security code, that is in the reasonably
foreseeable future. 

Following the user feedback on Samba4 deployments, it is quite clear
that we will need to use the 's3' winbindd, with the full range of
features and configuration options it supports.  This will require a
deal of work in many areas, but one area that touches this is the auth

Currently winbindd has hardcoded hooks into the 'sam' auth module in
winbindd_dual_auth_passdb() by calling check_sam_security_info3().  

If we were to make this pluggable (clearly the auth_sam module isn't
appropriate for AD authentication), then this hook would be at the
correct layer for the current winbindd implementation, which should
instead call auth_check_ntlm_password() and then the module
check_ntlm_security() calls. 

Now, this is down the track, and only one possible design, but I figured
I should mention it.  If we do remove it, it won't be difficult to
re-introduce this code with tests and in the desired form when needed.

Andrew Bartlett

Andrew Bartlett                      
Authentication Developer, Samba Team 

More information about the samba-technical mailing list