Re: Status on NTLM in Squid3?

From: Andrew Bartlett <abartlet@dont-contact.us>
Date: Sat, 30 Oct 2004 08:59:01 +1000

On Sat, 2004-10-30 at 01:11, Henrik Nordstrom wrote:
> On Fri, 29 Oct 2004, Andrew Bartlett wrote:
>
> > I've created a concoction of Samba3 and Samba4, and it works. I'll work
> > to make it a little less fragile, but it should give you some idea how I
> > think it should work...
>
> Is there any documentation on the SPNEGO ntlm_auth protocol yet?

It's the same as the Squid NTLMSSP protocol, except replies have three
args:

        /* The child's reply contains 3 parts:
           - The code: TT, AF or NA
           - The blob to send to the client, coded in base64
           - The argument:
                 For TT it's a dummy '*'
                 For AF it's domain\\user
                 For NA it's the NT error code
        */

> One small request to make the future a little brighter. In Squid-3 we have
> already started adding support for concurrency in the helper protocols by
> prefixing each query with a query/session identifier (0 - max concurrency
> level defined for the helper), and the helper is free to answer the
> received queries in any order it likes. It would be great if you could
> look into how well this can be supported by Samba ntlm_auth to allow the
> scheme to scale in bigger installations.

Can you give me details of the exact protocol you intend to use? Inside
ntlm_auth it should be trivial, I just keep separate state machines in a
lookup tree.

> A trivial initial implementation is to simply use this to allow for
> multiple negotiation sessions in the same helper but with no actual
> concurrency in the winbind lookups. But in the long run it would be great
> if there was support for concurrent winbind lookups to avoid stalling only
> because one winbind query is taking a long time.. (assuming this is also
> solved in winbind, for which there seems to be some progress)

This is certainly a goal we are working towards.

> The Squid-3 implementation is complete on stateless helpers, but not yet
> on stateful helpers but I have committed myself to get this done before
> 3.0..

Great. As soon as I know what they are meant to look like, I'll try and
get them implemented, so that we don't have to high a 'Samba version'
burden for Squid 3.

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet@samba.org
Authentication Developer, Samba Team            http://samba.org
Student Network Administrator, Hawker College   abartlet@hawkerc.net

Received on Fri Oct 29 2004 - 16:59:19 MDT

This archive was generated by hypermail pre-2.1.9 : Sun Oct 31 2004 - 12:00:02 MST