Windows authentication extends far beyond the CIFS protocol the Samba implements, but it only very recently that work has been done to catch up to Microsoft's extensions in this area. This has caused many administrators pain and toil that their MS counterparts simply don't have. For them, authentication 'just works', with single-sign-on and the lot.
I have worked, for over a year, with the Squid development team, in extending NTLMSSP authentication to HTTP. The squid team made a very good start (as I see Cyrus-SASL now has) in including a basic NTLMSSP implementation, and even providing a proxy-mechanism to authenticate against a Windows DC. I extended on this base, providing the ntlm_auth tool, which allows them to perform this against winbind, and without having to understand NTLMSSP as anything more than BASE64 strings.
This provides a much more reliable interface, as winbind is not only faster, we can also prevent man-in-the-middle attacks.
The attached patch provides this for Cyrus-SASL. In the same was that Squid now uses Winbind, all Cyrus-SASL enabled applications can use Winbind (via ntlm_auth) to authenticate their users. This provides the most current NTLMSSP implementation in the Open Source arena, as it is the one that we must maintain for Samba's internal use.
The plugin is designed to use ntlm_auth over a stdio interface, because as part of Samba, it is GPL'ed. The plugin provides a client, and an server implementation, but can only proxy it's server-side (I can provide a mode that allows for local passwords if it is required).
Current Samba 3.0 CVS is required to find the NTLMSSP client code exposed.
Here is my opinion, Rob's *may* differ:
Having support for all of the latest NTLMSSP stuff is a great idea, but I don't think we want to have yet another dependency for Cyrus SASL, especially unreleased Samba code.
I also think that being able to use passwords that are stored in an auxprop plugin is mandatory as there might be sites which want to support MS clients but don't have an MS server to proxy to.
Can you point me to any references to Winbind, so I at least know what we are missing?
Patch against current SASL CVS, but my testing was actually with 2.1.15
I wanted to take a look at your code, but this patch does not apply cleanly to CVS -- only 1 of 7 hunks succeeds.
-- Kenneth Murchison Oceana Matrix Ltd. Software Engineer 21 Princeton Place 716-662-8973 x26 Orchard Park, NY 14127 --PGP Public Key-- http://www.oceana.com/~ken/ksm.pgp
-- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
