> On Sunday 24 February 2002 04:15, Robert Collins wrote:
>
> > As for handing the negotiate packet to the helper, we're actually
> > considering giving the helper less, not more. The windbindd helper
> > opens the door to allowing squid generated challenges, which means
> > much more efficient processing, and less complex internal
> > structures, but on the down side needs more smarts. So we're
> > looking at a protocol v4 in the next release anyway.
>
> From a security perspective I would prefer if the challenge was
> generated outside of Squid. I do not want Squid to require the needed
> permissions to get into said "secure channel".
With winbindd the flow (with associated security channels) is:
squid <-pipe-> winbindd helper <-named_pipe-> winbindd on localhost <-\
<-RPC_channel-> Domain controller <- Trust (RPC) -> Domain
Controller
The RPC relationship is (and always will be) handled by winbindd.
This is required because domain membership also requires other activities
than requesting authentications. For one, the workstation password MUST
be changed every day. Currently this can be done by a Samba running on the
host, but the samba people prepared an rpcclient command so that
it can be done via a simple cron job.
> I am pretty sure the winbind people agrees on this principle.
>
> There is reasons to why the endpoints needs to be authenticated to
> perform such type of authentication. Nothing major, but still...
-- /kinkieReceived on Mon Feb 25 2002 - 02:20:01 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:14:48 MST