Samba 3.0 and ntlm_auth from Andrew Bartlett on 2003-05-10 (squid-dev)

From: Andrew Bartlett <abartlet@dont-contact.us>
Date: 11 May 2003 15:17:12 +1000

Just a quick note to describe what 'ntlm_auth' is in the Samba 3.0
sources.

After working with the Squid team on wb_ntlmauth, I soon decided that I
wanted to use our NTLMSSP code to create 'NTLMSSP done right', without
structure hacks and with one place to get the bugs right :-).

(As you know, Samba maintains it's NTLMSSP code for SMB, and LDAP
already).

The result was a utility called ntlm_auth. It handles Squid 2.4 and 2.5
basic authentication, and Squid 2.5 NTLMSSP authentication.

It is tied to winbind, and used the 'privileged pipe' to access the
challenge/response code. (no more special configure options). This is
usually in samba's LOCKDIR, and the permissions should be changed to
allow squid to use it.

It implements the squid protocols, but a 'midgard' module is under
development, with an apache 2 module to follow.

Usage:

ntlm_auth --helper-protocol=squid-2.5-basic
squid-2.4-basic
squid-2.5-ntlmssp

If a negotiate packet is send for a YR call, then it uses that. It
needs winbind to maintain some kind of state for it, but I'm quite happy
for that to be as little as 'this is connection 5' - which would reduce
the need for 20 helpers to be in memory at once. Winbind is a single
thread, so having multiple helpers doesn't actually achieve anything.

It doesn't actually use the protocol letters for much, instead decoding
the NTLMSSP response to figure it out.

Samba 3.0's winbindd is also getting better, with recent work reducing
the number of packets we need to send to the DC to just 2, and reducing
the DC's internal lookups at the same time.

My hope is that in the long term, squid's wb_ntlmauth can 'go away', so
we don't have external dependencies on the winbind pipe protocol.

Of interest to developers is it's '--diagnosis' option, which will
attempt a large number of authentication combinations, and tells you
what the server will support.

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet@pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet@samba.org
Student Network Administrator, Hawker College   abartlet@hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net

application/pgp-signature attachment: This is a digitally signed message part

Received on Sat May 10 2003 - 23:17:29 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:19:53 MST