[Samba] Re: [PATCH] Add winbind-backed NTLMSSP support to Cyrus-SASL
rjs3 at andrew.cmu.edu
Tue Jan 6 15:52:00 GMT 2004
On Wed, 31 Dec 2003, Andrew Bartlett wrote:
> > > The plugin is designed to use ntlm_auth over a stdio interface,
> > > because as part of Samba, it is GPL'ed. The plugin provides a client,
> > > and an server implementation, but can only proxy it's server-side (I
> > > can provide a mode that allows for local passwords if it is required).
> > >
> > > Current Samba 3.0 CVS is required to find the NTLMSSP client code exposed.
> > Here is my opinion, Rob's *may* differ:
> > Having support for all of the latest NTLMSSP stuff is a great idea, but
> > I don't think we want to have yet another dependency for Cyrus SASL,
> > especially unreleased Samba code.
> This will be in Samba 3.0.2, which I expect to be released in a
> reasonalbly short timeframe due to issues in 3.0.1 (but the rest is up
> to the release manager)
Ok: Here's my take on the NTLM changes. If we were to accept this, I'd
want to accept it as another alternative. I don't want to suddenly
require anyone who is using our NTLM plugin to have to install SAMBA. I
also don't want to remove the ability to support NTLM from the same
password store that we server other mechanisms from. So, I'm willing to
take a patch that adds an alternate way to compile the NTLM plugin, but
not one that replaces what we currently do (and not by default).
> I was very pleased to see what appears to be a reasonably mature
> NTLMSSP implemenation. However, a few things stood out - common
> errors in most of the NTLMSSP implentations I have seen:
I'd be very interested to see patches that fix all of these internally ;)
> > I also think that being able to use passwords that are stored in an
> > auxprop plugin is mandatory as there might be sites which want to
> > support MS clients but don't have an MS server to proxy to.
> They can always use a Samba server :-)
Then they have to maintain separate password stores for their NTLM clients
and for their DIGEST-MD5 clients. I don't think this is the direction we
want to head.
> But seriously, if it is required, we can add a callback.
I just don't want to add the required dependency, really.
> > > Patch against current SASL CVS, but my testing was actually with 2.1.15
> > I wanted to take a look at your code, but this patch does not apply
> > cleanly to CVS -- only 1 of 7 hunks succeeds.
> I'll try again on the patch.
As far as the GSS-SPNEGO stuff is concerned, it looks very similar to the
NTLM changes, just with different parameters passed to ntlm_auth. Am I
Perhaps it makes sense to have a "samba" plugin that supports both NTLM
and GSS-SPNEGO via ntlm_auth, and is built if --with-samba is supplied.
In this case, we do not build the original NTLM plugin.
Rob Siemborski * Andrew Systems Group * Cyert Hall 207 * 412-268-7456
Research Systems Programmer * /usr/contributed Gatekeeper
More information about the samba