On Wed, Dec 03, 2014 at 11:07:15AM -0500, Arran Cudbard-Bell wrote:
On 3 Dec 2014, at 11:06, Phil Mayers <p.mayers@imperial.ac.uk> wrote:
On 03/12/14 15:59, Arran Cudbard-Bell wrote:
I don't see any reason people would wrap ntlm_auth, or why the arguments would change.
We *do* wrap it currently, and I can think of not-ridiculous reasons to do so in some cases.
Do you wrap it in such a way that it would not pass the --helper-protocol flag through?
I think Phil's current reason to wrap it (to get timings) would not be applicable with the helper-protocol flag. But I'm sure there may be other reasons. I like both options - the idea that the server will do the smart(TM) thing usually, but giving the admin the option to force an option when they want. Though you already have to alter the config to tell it to do ntlm_auth (by un-commenting and setting the cmd line), so in some way adding a new "method" is no different, and possibly a bit easier to see what's happening, e.g. current: # internal auth: # ntlm_auth = "/path/to/binary... --args" ntlm_auth_timeout = 10 # ntlm_auth: ntlm_auth = "/path/to/binary... --args" ntlm_auth_timeout = 10 new: # internal auth: # configure mschap backend here: method = internal # other options for the methods: ntlm_auth = "/path/to/binary... --args" ntlm_auth_timeout = 10 ntlmauth_socket { socket = "/run/ntlmauth.sock" } # ntlm_auth: # configure mschap backend here: method = ntlmauth_exec # other options for the methods: ntlm_auth = "/path/to/binary... --args" ntlm_auth_timeout = 10 ntlmauth_socket { socket = "/run/ntlmauth.sock" } The latter (to me) seems clearer what you're configuring it to do. Then in the future, maybe: # winbind: # configure mschap backend here: method = winbind # other options for the methods: ntlm_auth = "/path/to/binary... --args" ntlm_auth_timeout = 10 ntlmauth_socket { socket = "/run/ntlmauth.sock" } to use a samba library. Means only changing one option. After a few releases where, say, the "winbind" or "ntlmauth_socket" option is the default and no failure reports (e.g. reasons for people to want to force "ntlm_auth" by exec again), maybe ntlmauth_exec could be removed. Just thinking out loud. Maybe there's a cleaner way. Actually the first method I though of was to just split mschap into multiple modules, one for each auth type. Then realised how much was actually in the mschap module... Cheers Matthew -- Matthew Newton, Ph.D. <mcn4@le.ac.uk> Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, <ithelp@le.ac.uk>