[Samba] Re: [PATCH] Add winbind-backed NTLMSSP support to Cyrus-SASL
ken at oceana.com
Wed Dec 31 17:49:45 GMT 2003
Andrew Bartlett wrote:
> Windows authentication extends far beyond the CIFS protocol the Samba
> implements, but it only very recently that work has been done to catch
> up to Microsoft's extensions in this area. This has caused many
> administrators pain and toil that their MS counterparts simply don't
> have. For them, authentication 'just works', with single-sign-on and
> the lot.
> I have worked, for over a year, with the Squid development team, in
> extending NTLMSSP authentication to HTTP. The squid team made a very
> good start (as I see Cyrus-SASL now has) in including a basic NTLMSSP
> implementation, and even providing a proxy-mechanism to authenticate
> against a Windows DC. I extended on this base, providing the
> ntlm_auth tool, which allows them to perform this against winbind, and
> without having to understand NTLMSSP as anything more than BASE64 strings.
> This provides a much more reliable interface, as winbind is not only faster,
> we can also prevent man-in-the-middle attacks.
> The attached patch provides this for Cyrus-SASL. In the same was that
> Squid now uses Winbind, all Cyrus-SASL enabled applications can use
> Winbind (via ntlm_auth) to authenticate their users. This provides
> the most current NTLMSSP implementation in the Open Source arena, as
> it is the one that we must maintain for Samba's internal use.
> The plugin is designed to use ntlm_auth over a stdio interface,
> because as part of Samba, it is GPL'ed. The plugin provides a client,
> and an server implementation, but can only proxy it's server-side (I
> can provide a mode that allows for local passwords if it is required).
> Current Samba 3.0 CVS is required to find the NTLMSSP client code exposed.
Here is my opinion, Rob's *may* differ:
Having support for all of the latest NTLMSSP stuff is a great idea, but
I don't think we want to have yet another dependency for Cyrus SASL,
especially unreleased Samba code.
I also think that being able to use passwords that are stored in an
auxprop plugin is mandatory as there might be sites which want to
support MS clients but don't have an MS server to proxy to.
Can you point me to any references to Winbind, so I at least know what
we are missing?
> Patch against current SASL CVS, but my testing was actually with 2.1.15
I wanted to take a look at your code, but this patch does not apply
cleanly to CVS -- only 1 of 7 hunks succeeds.
Kenneth Murchison Oceana Matrix Ltd.
Software Engineer 21 Princeton Place
716-662-8973 x26 Orchard Park, NY 14127
--PGP Public Key-- http://www.oceana.com/~ken/ksm.pgp
More information about the samba