On Wed, 31 Dec 2003, Andrew Bartlett wrote: > > > The plugin is designed to use ntlm_auth over a stdio interface, > > > because as part of Samba, it is GPL'ed. The plugin provides a client, > > > and an server implementation, but can only proxy it's server-side (I > > > can provide a mode that allows for local passwords if it is required). > > > > > > Current Samba 3.0 CVS is required to find the NTLMSSP client code exposed. > > > > Here is my opinion, Rob's *may* differ: > > > > Having support for all of the latest NTLMSSP stuff is a great idea, but > > I don't think we want to have yet another dependency for Cyrus SASL, > > especially unreleased Samba code. > > This will be in Samba 3.0.2, which I expect to be released in a > reasonalbly short timeframe due to issues in 3.0.1 (but the rest is up > to the release manager)
Ok: Here's my take on the NTLM changes. If we were to accept this, I'd want to accept it as another alternative. I don't want to suddenly require anyone who is using our NTLM plugin to have to install SAMBA. I also don't want to remove the ability to support NTLM from the same password store that we server other mechanisms from. So, I'm willing to take a patch that adds an alternate way to compile the NTLM plugin, but not one that replaces what we currently do (and not by default). > I was very pleased to see what appears to be a reasonably mature > NTLMSSP implemenation. However, a few things stood out - common > errors in most of the NTLMSSP implentations I have seen: [snip] I'd be very interested to see patches that fix all of these internally ;) > > I also think that being able to use passwords that are stored in an > > auxprop plugin is mandatory as there might be sites which want to > > support MS clients but don't have an MS server to proxy to. > > They can always use a Samba server :-) Then they have to maintain separate password stores for their NTLM clients and for their DIGEST-MD5 clients. I don't think this is the direction we want to head. > But seriously, if it is required, we can add a callback. I just don't want to add the required dependency, really. > > > Patch against current SASL CVS, but my testing was actually with 2.1.15 > > > > I wanted to take a look at your code, but this patch does not apply > > cleanly to CVS -- only 1 of 7 hunks succeeds. > > I'll try again on the patch. > > http://hawkerc.net/staff/abartlet/ntlm_sasl.diff As far as the GSS-SPNEGO stuff is concerned, it looks very similar to the NTLM changes, just with different parameters passed to ntlm_auth. Am I missing something? Perhaps it makes sense to have a "samba" plugin that supports both NTLM and GSS-SPNEGO via ntlm_auth, and is built if --with-samba is supplied. In this case, we do not build the original NTLM plugin. -Rob -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Rob Siemborski * Andrew Systems Group * Cyert Hall 207 * 412-268-7456 Research Systems Programmer * /usr/contributed Gatekeeper -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba