mschap via ntlm_auth over a socket

Wed Dec 3 17:51:23 CET 2014

On Wed, Dec 03, 2014 at 11:07:15AM -0500, Arran Cudbard-Bell wrote:
> 
> > On 3 Dec 2014, at 11:06, Phil Mayers <p.mayers at imperial.ac.uk> wrote:
> > 
> > On 03/12/14 15:59, Arran Cudbard-Bell wrote:
> > 
> >> I don't see any reason people would wrap ntlm_auth, or why the
> >> arguments would change.
> > 
> > We *do* wrap it currently, and I can think of not-ridiculous reasons to do so in some cases.
> 
> Do you wrap it in such a way that it would not pass the --helper-protocol flag through?

I think Phil's current reason to wrap it (to get timings) would
not be applicable with the helper-protocol flag. But I'm sure
there may be other reasons.

I like both options - the idea that the server will do the
smart(TM) thing usually, but giving the admin the option to force
an option when they want.

Though you already have to alter the config to tell it to do
ntlm_auth (by un-commenting and setting the cmd line), so in some
way adding a new "method" is no different, and possibly a bit
easier to see what's happening, e.g.

current:

# internal auth:

  # ntlm_auth = "/path/to/binary... --args"
  ntlm_auth_timeout = 10

# ntlm_auth:

  ntlm_auth = "/path/to/binary... --args"
  ntlm_auth_timeout = 10

new:

# internal auth:

  # configure mschap backend here:
  method = internal

  # other options for the methods:
  ntlm_auth = "/path/to/binary... --args"
  ntlm_auth_timeout = 10
  ntlmauth_socket {
    socket = "/run/ntlmauth.sock"
  }

# ntlm_auth:

  # configure mschap backend here:
  method = ntlmauth_exec

  # other options for the methods:
  ntlm_auth = "/path/to/binary... --args"
  ntlm_auth_timeout = 10
  ntlmauth_socket {
    socket = "/run/ntlmauth.sock"
  }

The latter (to me) seems clearer what you're configuring it to do.

Then in the future, maybe:

# winbind:

  # configure mschap backend here:
  method = winbind

  # other options for the methods:
  ntlm_auth = "/path/to/binary... --args"
  ntlm_auth_timeout = 10
  ntlmauth_socket {
    socket = "/run/ntlmauth.sock"
  }

to use a samba library. Means only changing one option. After a
few releases where, say, the "winbind" or "ntlmauth_socket" option
is the default and no failure reports (e.g. reasons for people to
want to force "ntlm_auth" by exec again), maybe ntlmauth_exec
could be removed.

Just thinking out loud. Maybe there's a cleaner way. Actually the
first method I though of was to just split mschap into multiple
modules, one for each auth type. Then realised how much was
actually in the mschap module...

Cheers

Matthew

-- 
Matthew Newton, Ph.D. <mcn4 at le.ac.uk>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <ithelp at le.ac.uk>