...
>For the NTLM multi-domain hack, you need to address the following key
>before it's worth considering:
>
>* Squid internally only has one challenge per helper available. You need
>to alter this to be one challenge per domain per helper, and logic to
>send the correct challenge to the client, where currently squid sends
>some the challenge of the chosen helper.
???
Not fully understood...
If we assume the default "auth_param ntlm max_challenge_reuses 0" shouldn't
squid issue a "YR" for every new request?
Is it the wrong thing to force squid to use a helper from "YR" to "AF"
process completely before issue another "YR" to the same helper?
>Without that, squid will *consistently* cause pop-ups to appear on
>workstations, because the challenge is not one issued by the domain the
>auth request was sent to.
>
>What NT workstations do is issue a challenge locally, and then use an
>RPC call over the secure channel to their login server to have the
>triple (user domain, issued challenge, recieved response) checked. ONLY
>trusted workstations can issue this RPC call. Now, the winbind helper
>uses the winbindd challenge to perform this same RPC call. IF, and only
>IF, you have a helper that can do the same - issue a challenge, and then
>choose the DC to verify it after-the-fact - then multi-domain
>authentication will work reliably.
OK. Now, how does SMB/ntlm_auth.c work? I modified it to "login" to
different DCs.
If it works with one domain it should work with many ones (given my patches
are ok).
Actually pop-up windows appear.
>Now, the way that this hypothetical helper would work, is by having
>secure channels to all the DC's needed (which is what being a domain
>member gives you within a domain, and domain trusts gives you cross
>domains).
OK again. See before.
>So, the long term solution IMO is to hack up winbindd to allow
>membership in multiple domains, without trust relationships between
>them. If that is done,. squid doesn't need to change at all, and this
>will be the most reliable solution.
I agree with you.
Too much work for me to try this way, though.
Shall we involve samba team in this?
Michele
Received on Tue Apr 29 2003 - 07:34:49 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:19:43 MST