On Sun, 8 Sep 2002, Andrew Bartlett wrote:
> The current stable code uses the interface Squid expects - that's in
> Samba 2.2.4 and above. Samba 2.2 is in feature freeze, and I would not
> expect any changes to this interface, In particular becouse of it's use
> by squid.
Ok. So the specification is simply that Samba-2.2, version 2.2.4 or later
is what must be used. In Samba-3 there will be other means.
> The specifications are:
> - Use Samba's NTLMSSP code. Needs seperation from the surrounding code
> in clispnego.c and smbd/sesssetup.c
> - Also needs 'ascii' support added. Currently all-unicode.
Meaning you do not support clients nost supporting unicode yet?
> - Seperate Samba-supplied binary, called ntlm_auth
> - Use a Popt interface, so that we can specify --squid-2.5 for the
> current squid protocol etc.
very good idea.
As you already are mixing plaintext into the mix I would propose a single
helper for both plaintext, ntlmssp and raw ntlm.
--squid-2.4
login<SP>password[\r]\n, support spaces in the password field
--squid-2.4-long-usernames
login<SP>password[\r]\n, support spaces in the login field
--squid-2.5-basic
login<SP>password[\r]\n, URL encoded fields
--squid-2.5-ntlmssp
the stateful NTLMSSP helper protocol of Squid-2.5
--squid-2.6-ntlmssp
the NTLMSSP helper protocol of Squid-2.6 (whatever that will look
like)
or perhaps simply instead of --squid-2.5-basic and --squid-2.6-ntlm use
generic names not tied to squid if these protocols are deemed generically
acceptable, like
--plaintext
--ntlmssp
which is a bit too many options, so there should probably be a single
option with the helper protocol to use as argument..
--helper-protocol=[one of the above]
> - Have a command-line challange-response interface
> - takes --username=abartlet --domain=FOO --lm-resp=ASDGADF (hex
> encoded, 24 bytes) --nt-resp=AADFAFG1232 (hex encoded >=24 bytes)
Shouldn't there be a --challenge=... option in this command line "raw
NTLM" mode? And who should generate the challenge bytes?
A note of warning: Many "first try" applications using the above command
line mode is likely to fail on usernames (or domains?) with spaces in
them..
What about a also supporting a stream oriented NTLM mode?
NTLMv2 repsonses can be identified by their length, and do not need any
additional data from the client, right?
> - returns NT_STATUS_... on stdout, 0 or 1 to exit code
> - Have a similar 'plaintext' inteface (option not to have password on
> cmd line)
>
> The idea is that this can be a stable, long-term interface that Samba
> can provide, to squid and other projects
Great!
> Any takers?
In the raw NTLM mode, what about the session key (MD5(NT#) IIRC)? Will
there be support from winbindd to have this returned? Needed for MSCHAPv2,
remember?. This should obviously be restricted to applications running
with a specific uid/group configured in smb.conf... (use SO_PEERCRED to
find out in winbindd)
Regards
Henrik
