> -----Original Message-----
> From: Henrik Nordstrom [mailto:hno@squid-cache.org]
> Sent: Sunday, February 24, 2002 12:48 PM
> To: Robert Collins; Squid Developers Mailinglist
> Subject: Re: NTLM
>
>
> On Sunday 24 February 2002 01:58, Robert Collins wrote:
>
> > > b) Why isn't the negotiate packet sent to the helper? Doesn't the
> > > DC need the users domain name to generate a correct challenge in
> > > case of trust relations or multi-domain configurations?
> >
> > No. The authenticating workstation uses the secure channel to pass
> > the triple (challenge,result,user) to a domain controller of it's
> > domain, which then passes the same to the correct domain if the
> > user is not in it's domain.
>
> I think you should even if it is not needed for the current NTLMSSP
> or winbind helpers. If you do then one can easily write a
> multi-domain NTLMSSP helper without the need of trust relations by
> simply having a domain->dc translation table in the helper.
Actually, I'm not sure that that will work. IIRC the domain present in the negotiate packaet is the _machine_ domain, not the workstation domain. Because the users domain is orthogonal to the machine domain... This is just from memory.
> And are you absolutely sure the domain isn't used wheng enerating the
> NTLMSSP challenge, for any purpose?
No, but we've never needed it. We started off passing it through, and ended up removing it when we introduced caching.
As for handing the negotiate packet to the helper, we're actually considering giving the helper less, not more. The windbindd helper opens the door to allowing squid generated challenges, which means much more efficient processing, and less complex internal structures, but on the down side needs more smarts. So we're looking at a protocol v4 in the next release anyway.
Rob
Received on Sat Feb 23 2002 - 20:15:04 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:14:48 MST