Re: Samba 3.0a19 breaks winbind helpers?

From: Jerry Murdock <jmurdock@dont-contact.us>
Date: Sat, 7 Sep 2002 22:30:30 -0400

I've since tested copying over the a19 headers and it seems to get things
going.

How do you want to handle it in the squid FAQ?

1: Only Samba 2.2.x is supported.
2: Samba versions > 3.0a18 are unsupported.
3: They're unsupported but you can try this...

Jerry

----- Original Message -----
From: "Andrew Bartlett" <abartlet@samba.org>
To: "Henrik Nordstrom" <hno@marasystems.com>
Cc: "Jerry Murdock" <jmurdock@itraktech.com>; "Andrew Bartlett"
<abartlet@samba.org>; <squid-dev@squid-cache.org>; "Multiple recipients of
list SAMBA-TECHNICAL" <samba-technical@samba.org>
Sent: Saturday, September 07, 2002 9:31 PM
Subject: Re: Samba 3.0a19 breaks winbind helpers?

> Henrik Nordstrom wrote:
> >
> > Haven't tested yet.. we are using 3.0a18 which seems to work fine as
> > far as I can tell..
>
> Thats probably from before I last played games with the interface :-)
>
> > Lets hope we can get the versioning issue finally sorted out with the
> > Samba team before Squid-2.6 (in at least 6 months I would guess)..
> >
> > For Squid-2.5 I guess we will have to speficy which Samba versions are
> > known to work with the helpers.
>
> The current stable code uses the interface Squid expects - that's in
> Samba 2.2.4 and above. Samba 2.2 is in feature freeze, and I would not
> expect any changes to this interface, In particular becouse of it's use
> by squid.
>
> > Andrew: Do you think there will be fundamental changes to the winbindd
> > API in the next 6 months, or do you think it will be sufficient for
> > our purposes to just make use of new headers when there is a revised
> > API?
>
> Yes, there will be - I need to create a 'privilaged' pipe for squid to
> use, so that we don't give arbitary users access to this resource.
> Hoever, this in in Samba 3.0 only - 2.2 will remian as it is, to avoid
> breaking Squid.
>
> To get current Samba 3.0 working should only *require* a new header, but
> you might also want to fill in the 'workstation' feild, and allow long
> challanges - this might be sufficient to get NTLMv2 going (or it might
> not...).
>
> That's why I'm so keen to sort out this helper issue. If only I had the
> time to implement it...
>
> If sombody on the squid side wants to pick up this project, I'm more
> than happy to give a hand.
>
> The specifications are:
> - Use Samba's NTLMSSP code. Needs seperation from the surrounding code
> in clispnego.c and smbd/sesssetup.c
> - Also needs 'ascii' support added. Currently all-unicode.
> - Seperate Samba-supplied binary, called ntlm_auth
> - Use a Popt interface, so that we can specify --squid-2.5 for the
> current squid protocol etc.
> - Have a command-line challange-response interface
> - takes --username=abartlet --domain=FOO --lm-resp=ASDGADF (hex
> encoded, 24 bytes) --nt-resp=AADFAFG1232 (hex encoded >=24 bytes)
> - returns NT_STATUS_... on stdout, 0 or 1 to exit code
> - Have a similar 'plaintext' inteface (option not to have password on
> cmd line)
>
> The idea is that this can be a stable, long-term interface that Samba
> can provide, to squid and other projects
>
> Any takers?
>
> > Regards
> > Henrik
> >
> > On Sunday 08 September 2002 02.30, Jerry Murdock wrote:
> > > Is anyone running these together successfully?
> > >
> > > Looks like the api change Andrew has been warning about happened.
> > >
> > > If so, I will update the FAQ, probably should be in release note as
> > > well.
> > >
> > > Jerry
>
> --
> Andrew Bartlett abartlet@pcug.org.au
> Manager, Authentication Subsystems, Samba Team abartlet@samba.org
> Student Network Administrator, Hawker College abartlet@hawkerc.net
> http://samba.org http://build.samba.org http://hawkerc.net
Received on Sat Sep 07 2002 - 20:30:33 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:16:28 MST