Re: Samba 3.0a19 breaks winbind helpers?

Jerry Murdock wrote:
>
> ----- Original Message -----
> From: "Andrew Bartlett" <abartlet@samba.org>
> To: "Jerry Murdock" <jmurdock@itraktech.com>
> Cc: "Andrew Bartlett" <abartlet@samba.org>; "Henrik Nordstrom"
> <hno@marasystems.com>; "Squid-Dev (E-mail)" <squid-dev@squid-cache.org>
> Sent: Saturday, September 07, 2002 10:46 PM
> Subject: Re: Samba 3.0a19 breaks winbind helpers?
>
> > Jerry Murdock wrote:
> > >
> > > I've since tested copying over the a19 headers and it seems to get
> things
> > > going.
> > >
> > > How do you want to handle it in the squid FAQ?
> > >
> > > 1: Only Samba 2.2.x is supported.
> > > 2: Samba versions > 3.0a18 are unsupported.
> > > 3: They're unsupported but you can try this...
> >
> > Given that the winbind deamon on 2.2 is almost identical to the one in
> > 3.0 in most other respects, I think that 1 and 3 are appropriate - Squid
> > supports Samba 2.2.x, x>=4 out of the box, and the patch/update can be
> > used for some later 3.0 alphas.
> >
> > However, that will only work untill we move to a privilaged pipe.
> >
>
> The other issue I haven't tested yet is the wb_group helper.
>
> When designing the new interface to winbind, please consider group
> membership checks. I know it's something I wrestle with routinely for a
> variety of services. I have various solutions. All of them are fairly kludgy
> though, and a nice clean solution would be great.

The winbind pipe is an internal Samba interface. It's structure should
be considered 'undefined'. Unfortunately projects like squid (which my
encouragement, I might add!) have started to use it as an external
interface - it does provide very convenient access to this kind on info,
I must admit.

So, where do we go from here? For anything that looks at all like unix,
the published unix interfaces are the way to go - we implement nsswitch
and PAM in particular. For NTLMSSP, I've poposed one earlier in this
thread. For the other interfaces, somebody (not me!) needs to define an
interface, and propose it to samba-technical.

For reasons of portability/flexability, the current mood is for
executable helpers that pass simple text structures around, not shared
libraries that need maintenance.

BTW, where the issue is groups of NTLMSSP, I'm quite willing to have the
ntlm_auth helper spit out the user's groups at login time - we get the
info, so it's not that much work to pass it on.

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet@pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet@samba.org
Student Network Administrator, Hawker College   abartlet@hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net