Re: Status on NTLM in Squid3?

Fri, 29 Oct 2004 16:15:46 -0700 

On Sat, 2004-10-30 at 01:11, Henrik Nordstrom wrote:
> On Fri, 29 Oct 2004, Andrew Bartlett wrote:
> 
> > I've created a concoction of Samba3 and Samba4, and it works.  I'll work
> > to make it a little less fragile, but it should give you some idea how I
> > think it should work...
> 
> Is there any documentation on the SPNEGO ntlm_auth protocol yet?

It's the same as the Squid NTLMSSP protocol, except replies have three
args:

        /* The child's reply contains 3 parts:
           - The code: TT, AF or NA
           - The blob to send to the client, coded in base64
           - The argument:
                 For TT it's a dummy '*'
                 For AF it's domain\\user
                 For NA it's the NT error code
        */

> One small request to make the future a little brighter. In Squid-3 we have 
> already started adding support for concurrency in the helper protocols by 
> prefixing each query with a query/session identifier (0 - max concurrency 
> level defined for the helper), and the helper is free to answer the 
> received queries in any order it likes. It would be great if you could 
> look into how well this can be supported by Samba ntlm_auth to allow the 
> scheme to scale in bigger installations.

Can you give me details of the exact protocol you intend to use?  Inside
ntlm_auth it should be trivial, I just keep separate state machines in a
lookup tree.

> A trivial initial implementation is to simply use this to allow for 
> multiple negotiation sessions in the same helper but with no actual 
> concurrency in the winbind lookups. But in the long run it would be great 
> if there was support for concurrent winbind lookups to avoid stalling only 
> because one winbind query is taking a long time.. (assuming this is also 
> solved in winbind, for which there seems to be some progress)

This is certainly a goal we are working towards.  

> The Squid-3 implementation is complete on stateless helpers, but not yet 
> on stateful helpers but I have committed myself to get this done before 
> 3.0..

Great.  As soon as I know what they are meant to look like, I'll try and
get them implemented, so that we don't have to high a 'Samba version'
burden for Squid 3.

Andrew Bartlett

-- 
Andrew Bartlett                                 [EMAIL PROTECTED]
Authentication Developer, Samba Team            http://samba.org
Student Network Administrator, Hawker College   [EMAIL PROTECTED]

Attachment: signature.asc
Description: This is a digitally signed message part

Reply via email to