Re: Samba 3.0a19 breaks winbind helpers?

----- Original Message -----
From: "Andrew Bartlett" <abartlet@samba.org>
To: "Jerry Murdock" <jmurdock@itraktech.com>
Cc: "Andrew Bartlett" <abartlet@samba.org>; "Henrik Nordstrom"
<hno@marasystems.com>; "Squid-Dev (E-mail)" <squid-dev@squid-cache.org>
Sent: Sunday, September 08, 2002 3:12 AM
Subject: Re: Samba 3.0a19 breaks winbind helpers?

> > When designing the new interface to winbind, please consider group
> > membership checks. .
>
> The winbind pipe is an internal Samba interface. It's structure should
> be considered 'undefined'.

Understood, perhaps I should have said "new external interface".

> So, where do we go from here? For anything that looks at all like unix,
> the published unix interfaces are the way to go - we implement nsswitch
> and PAM in particular.

PAM is good for most of my needs. And would be a perfectly adequate stand-in
for the basic wb_auth helper on systems supporting PAM. Group checks are
still a week area in PAM though, what I've thought would be handy many times
was a pam_winbind_group module - or equivalent via command line in
pam_winbind.

As Henrik said, a non-nsswitch group check mechanism would be useful. NSS
seems a little heavy if you only need auth for squid/web/socks/ppp/etc where
there is no reason to have user accounts on the machine.

Disclaimer: I'm primarily a FreeBSD user which eliminates nsswitch as an
option.

> For NTLMSSP, I've poposed one earlier in this
> thread. For the other interfaces, somebody (not me!) needs to define an
> interface, and propose it to samba-technical.
>
So far in the conversation, it looks like you're looking at an executable
that does ntlmssp, will probably do plain text, and will have both command
line and pipe interfaces.

From there it isn't a big leap to add group checks and take the stance Samba
provides PAM and nsswitch and for anything else you can roll your own using
"winbind_auth" (or whatever the name is).

> BTW, where the issue is groups of NTLMSSP, I'm quite willing to have the
> ntlm_auth helper spit out the user's groups at login time - we get the
> info, so it's not that much work to pass it on.
>
There is often a need to do group checks post-auth without having the
password available.

Sorry, I know this has strayed a little. I'll happily accept whatever
solutions are provided.

Jerry
Received on Sun Sep 08 2002 - 14:12:47 MDT