Re: Samba 3.0a19 breaks winbind helpers?

On Sun, 8 Sep 2002, Andrew Bartlett wrote:

> The current stable code uses the interface Squid expects - that's in
> Samba 2.2.4 and above. Samba 2.2 is in feature freeze, and I would not
> expect any changes to this interface, In particular becouse of it's use
> by squid.

Ok. So the specification is simply that Samba-2.2, version 2.2.4 or later
is what must be used. In Samba-3 there will be other means.

> The specifications are:
> - Use Samba's NTLMSSP code. Needs seperation from the surrounding code
> in clispnego.c and smbd/sesssetup.c
> - Also needs 'ascii' support added. Currently all-unicode.

Meaning you do not support clients nost supporting unicode yet?

> - Seperate Samba-supplied binary, called ntlm_auth
> - Use a Popt interface, so that we can specify --squid-2.5 for the
> current squid protocol etc.

very good idea.

As you already are mixing plaintext into the mix I would propose a single
helper for both plaintext, ntlmssp and raw ntlm.

  --squid-2.4
        login<SP>password[\r]\n, support spaces in the password field
  --squid-2.4-long-usernames
        login<SP>password[\r]\n, support spaces in the login field
  --squid-2.5-basic
        login<SP>password[\r]\n, URL encoded fields
  --squid-2.5-ntlmssp
        the stateful NTLMSSP helper protocol of Squid-2.5
  --squid-2.6-ntlmssp
        the NTLMSSP helper protocol of Squid-2.6 (whatever that will look
like)

or perhaps simply instead of --squid-2.5-basic and --squid-2.6-ntlm use
generic names not tied to squid if these protocols are deemed generically
acceptable, like

  --plaintext
  --ntlmssp

which is a bit too many options, so there should probably be a single
option with the helper protocol to use as argument..

  --helper-protocol=[one of the above]

> - Have a command-line challange-response interface
> - takes --username=abartlet --domain=FOO --lm-resp=ASDGADF (hex
> encoded, 24 bytes) --nt-resp=AADFAFG1232 (hex encoded >=24 bytes)

Shouldn't there be a --challenge=... option in this command line "raw
NTLM" mode? And who should generate the challenge bytes?

A note of warning: Many "first try" applications using the above command
line mode is likely to fail on usernames (or domains?) with spaces in
them..

What about a also supporting a stream oriented NTLM mode?

NTLMv2 repsonses can be identified by their length, and do not need any
additional data from the client, right?

> - returns NT_STATUS_... on stdout, 0 or 1 to exit code
> - Have a similar 'plaintext' inteface (option not to have password on
> cmd line)
>
> The idea is that this can be a stable, long-term interface that Samba
> can provide, to squid and other projects

Great!

> Any takers?

In the raw NTLM mode, what about the session key (MD5(NT#) IIRC)? Will
there be support from winbindd to have this returned? Needed for MSCHAPv2,
remember?. This should obviously be restricted to applications running
with a specific uid/group configured in smb.conf... (use SO_PEERCRED to
find out in winbindd)

Regards
Henrik
Received on Sun Sep 08 2002 - 02:32:58 MDT