[PATCH] consolidate NTLM authentication codepaths

Andrew Bartlett abartlet at samba.org
Mon Mar 5 20:45:39 MST 2012

The attached patches (in s3-auth-for-merge in my git tree) represent one
of the last steps in the great journey to consistently handle
authentication in Samba 4.0, both to enable s3fs and to ensure
internally consistent behaviour.

I would actually have preferred to make the session setup NTLM handler
use GENSEC, but this would be quite difficult with security=server still
supported.  So instead, we hook in at the layer directly below gensec:
the auth4_context. 

This has been a long road, and while we still have some small parts to
conclude (winbindd_pam krb5 and ntlm_auth gss-spnego need to be
converted to use gensec), for the NTLM server-side we are essentially

In particular, this means that a user who successfully authenticates via
session setup with NTLM or NTLMSSP will always successfully authenticate
with NTLMSSP on a named pipe, or over LDAP.  They will also always get
exactly the same user token, including privileges. 

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-s3-auth-Follow-auth_ntlmssp-and-use-auth4_context-fo.patch
Type: text/x-patch
Size: 7588 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20120306/0b2a7531/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-s3-auth-Remove-single-implementation-plugin-layer.patch
Type: text/x-patch
Size: 6993 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20120306/0b2a7531/attachment-0001.bin>

More information about the samba-technical mailing list