andrew bartlett, your sarcasm is totally inappropriate, and
you are completely out of line, and you damn well know it.
get a grip, and if you cannot do so, do not embarrass yourself
or the reputation of the samba team, which you represent by
utilising a "samba.org" email address, by replying at all.
i also cannot reply and tell you this because of a decision
made on the 15th december 2004 by the samba team to block all
email sent by me to samba.org and to treat any such attempts as
"net abuse".
if you pick up this message on the mailing lists i hope that
you will, should you wish to make useful contributions to
this discussion, provide a suitable email address to which i
can reply.
anyway: in order to move discussions _forward_ rather than put
it on an actively hostile footing, i will rewrite your message
in a more appropriate manner and i trust that this meets with
your approval.
i will then reply to it.
"dear luke,
thank you for raising this issue. your message is a
bit long, so i will skip most of it and mention just
one thing.
i trust that you are aware that NTLM authentication has
been provided for quite some time to external services,
in a number of ways. as you helped design one of those
methods (the winbind_auth_crap :) and guided tim in its
implementation, i am puzzled by the fact that it was not
mentioned in your message.
there is also an additional method which has been
developed in samba 3, called ntlm_auth, which has even
been utilised by a SOC Google student.
both these methods avoid reimplementation of NTLMSSP:
what therefore are you proposing that is, if at all,
different from this? i don't understand: perhaps you
could explain?
anyway, it is good to hear from you and your design
input even if it is a little bit mad is always welcome.
best regards,
andrew bartlett."
now, pretending that you have written the above paragraphs
instead of the ones below, i will proceed.
without sarcasm and without endeavouring to be totally and
blatantly and unnecessarily cruel.
dear andrew,
thanks for replying,
okay. i re-read my message several times and i _knew_ i had missed
something out - explicitly mentioning winbind.
sorry!
and no, i wasn't aware of ntlm_auth: it's good to hear of that because
yes it might prove useful.
no, of course i am not advocating that NTLMSSP be reimplemented:
i will clarify this later in this reply.
i should be clear (and this will help rob as well) that the specific
focus of my message was directed towards _reactos_ not towards wine (per
se). the requirements are therefore quite different.
yes, for _wine_ - you (and rob) are absolutely correct: ntlm_auth and
winbindd are perfectly adequate.
the reason why? samba can be run ON THE SAME MACHINE. samba is a unix
service: wine is a win32 emulation layer running _on unix_.
the reason why that is inappropriate for reactos? samba cannot run on a
win32 platform. therefore any attempt to contact a unix service will
require implementation of a POSIX subsystem in reactos as a primary
requirement!!!
... oops :)
it's that straightforward.
there is also a second difference (which isn't anything to do with what
you mention - use of winbind or ntlm_auth) which is to do with the
implementation: in reactos, things have to be done "properly" in this
area (authentication) - and that means implementing an LSASS (lsa
security service) MSV1_0.DLL and registering it with the LSASS running
in NTOSKRNL.
i do not know what has been picked / decided upon for Wine, but for
reactos MSV1_0.DLL is definitely the way forward.
what else is relevant that i may have missed... oh, yes: samba tng's
winbindd.
i added an extra "method" to winbindd, which was required for freedce's
"ntlmsspauth.so".
winbindd pre-modifications (and therefore also the version in samba
afaik) does not contain a means to utilise NT+LM hashes plus domain name
in unicode plus username in unicode, and it most certainly doesn't
return a NET_USER_INFO_3 structure.
this is an absolute critical requirement for "authorisation"
purposes - not least because the NET_USER_INFO_3 structure,
as you are undoubtedly aware (but others might not be so i
mention it for completeness), contains the 16-bit "session key".
it also contains the group SIDs etc. which are again essential
to be returned to the LsaLogonUser (and LsaLogonUserEx)
functions - see lsa.c in ReactOS code.
so, anyway, this is what i added to samba tng's winbindd and also to a
client-side function which freedce's ntlmsspauth.so module could then
use.
i do not know what nltm_auth does so i could not advise you as to
whether it would be appropriate: perhaps you could help out by pointing
people to some appropriate documentation on the ntlm_auth API, in order
to evaluate whether it would be suitable (possibly even for reactos: i
won't know until i see the API)
okay. what else.
oh, yes. the use of ntlm_auth and/or winbindd to "outsource"
authentication is, i believe, a "temporary" measure, that allows
the parallel development and maturisation of Wine / ReactOS
specific code (in the case of ReactOS, that's MSV1_0.DLL)
_without_ having to pull in a shed-load of code.
the API is basically this: send (in unicode) a plaintext
password, a domain name and a username, and receive a yes/no
answer along with a NET_USER_INFO_3 structure, from which the
session key and group sids can be "pulled".
there's also the second function LsaLogonUserEx which is i believe
"send NT+LM hashes, plus unicode domain name, unicode username, and
receive..." but it would take a little reverse-engineering to
double-check.
so yes, in conclusion, i believe that the use of ntlm_auth
and/or winbind _may_ be appropriate for Wine, is temporarily
appropriate for proof-of-concept in ReactOS, but for final
code in ReactOS, definitely not.
that's the gist: hope this helps clarify things.
l.
On Fri, Sep 02, 2005 at 11:25:36PM +1000, Andrew Bartlett wrote:
> On Fri, 2005-09-02 at 01:39 +0100, Luke Kenneth Casson Leighton wrote:
>> I will leave the rest of this mail well aside, but I just wanted to
> clarify exactly how long we have been providing NTLM authentication
> services to external projects:
>> > 2) write a lovely insecure method of "outsourcing" the username,
> > domain and password to an external server - Samba TNG - which performs
> > the authentication on your behalf and gets back "real" data.
> >
> > this could be done simply with a TCP connection, throw the data
> > in-the-clear over to a simple temporary shim service blah blah,
> > bob's your uncle.
>> Like, say the winbind_auth_crap (thank Mr Potter for the name) function
> in Samba's winbindd client interface, used successfully by external
> projects (Squid in particular) since Samba 2.2?
>> Or better still (avoiding reimplementing NTLMSSP) by calling ntlm_auth
> (shipped with Samba 3.0 since release)? Oh wait, we hooked up a Google
> SOC student to do just that, and it's working well! :-)
>> Andrew Bartlett
>> --
> Andrew Bartlett http://samba.org/~abartlet/
> Samba Developer, SuSE Labs, Novell Inc. http://suse.de
> Authentication Developer, Samba Team http://samba.org
> Student Network Administrator, Hawker College http://hawkerc.net
--
--
<a href="http://lkcl.net">http://lkcl.net</a>
--
More information about the Ros-dev
mailing list
CHAPTER VII. THE FOUR CLASSES OF SOCIETY. THE FOUR CLASSES OF SOCIETY. "After the herald had given the names of the wrestlers who were to make the first round, the fellows came in. They were dressed without any clothes to speak of, or rather they were quite undressed, with the exception of a cloth around their loins. They came in on opposite sides of the ring, and stood there about five feet apart, each man resting his hands on his knees, and glaring at the other like a wild beast. They[Pg 231] looked more like a pair of tigers than human beings, and for a moment I thought it was not at all unlike what a bull-fight in Spain might be. I turned upon her choking with anger, but her melting beauty rendered me helpless. Black woods were on our left. "Shall we turn in here?" I asked. "None of that with me," he growled. "Do you know who I am, Countess Lalage? I am Leon Lagage, Count of the Holy Roman Empire, and your husband. Incomparable woman, you cannot alter that fact. For better or worse, for richer or poorer, till death do us part!" I have in this way imperfectly indicated a methodical plan of generating a design, as far as words alone will serve, beginning with certain premises based upon a particular work to be performed, and then proceeding to consider in consecutive order the general character of the machine, mode of operation, movements and adjustments, general arrangement, strains, special arrangement, and proportions. ‘Alas! what is life, what is death, what are we, 11th January two best dresses. Commencement was as usual, with a few showers “All right,” agreed Sandy. “Dick, you and I are the ground crew. As soon as you’re ready, Mr. Whiteside, we’ll take hold!” Effects of Walpole's Administration—Formation of the new Ministry—Attitude of the Malcontents—Committee of Inquiry into Walpole's Administration—Walpole's Protectors—Ministerial Measures—Prorogation of Parliament—Disasters of the French—British Division in the Netherlands—Opening of Parliament—The German Mercenaries—Amendment of the Gin Act—George goes to Germany—Stair and De Noailles in Franconia—Stair in a Trap—Bold Resolution of King George—The Battle of Dettingen—Resignation of Stair—Retreat of the French—Negotiations for Peace—Treaty of Worms—Pelham becomes Prime Minister—The Attacks of Pitt on Carteret—Attempted Invasion of England—Its Failure—Progress of the French Arms—Frederick II. invades Bohemia—His Retirement—Resignation of Carteret—Pelham strengthens his Ministry—Death of the Emperor—Campaign in Flanders—Battle of Fontenoy—Campaign of Frederick II.—The Young Pretender's Preparations—Loss of the Elizabeth—Landing in the Hebrides—The Highland Clans join him—The First Brush—Raising of the Standard—Cope's Mistake—He turns aside at Dalwhinnie—Charles makes a Dash for Edinburgh—The March to Stirling—Right of the Dragoons—The "Canter of Coltbridge"—Edinburgh surprised by the Highlanders—Charles marching against Cope—Battle of Prestonpans—Delay in marching South—Discontent of the Highland Chiefs—The Start—Preparations in England—Apathy of the Aristocracy—Arrival of the Duke of Cumberland—Charles crosses the Border—Capture of Carlisle—The March to Derby—Resolution to retreat—"Black Friday"—The Retreat—Recapture of Carlisle—Siege of Stirling—Battle of Falkirk—Retreat to the Highlands—Cumberland's Pursuit—Gradual Collapse of the Highlanders—Battle of Culloden—Termination of the Rebellion—Cruelty of the Duke of Cumberland—Adventures of the Young Pretender—Trials and Executions—Ministerial Crisis. The next morning he was up betimes, and cooked the boys as good a breakfast as he could out of the remainder of his store and what he could get from the hospital, and then gave what was left to whoever came. The comfortable crib, which had cost the Deacon so much labor, had been pre-empted by the Surgeon for some of his weakest patients. "You two step forward one pace," he commanded. "Gentleman, I've got my six. The rest are yours." "Where are you goin'?" he said sternly. Every now and then the crowd would break into the latest rhymings of MacKinnon's poet: A large thicket, at this moment, gave the dusty foot an opportunity of doubling, and, for an instant, diverging from the straightforward course, though it availed him little, he seemed to feel the breath of his pursuer on the back of his neck; his foot sounded as if at his heels; he drew his garment closely around him, turned suddenly to the right, and, bounding from the ground, the next instant a splash was heard in the little river, and the fugitive was safe from his pursuer. HoME明日之后怎么免费刷一级纳米材料
ENTER NUMBET 0018jiaxinwujin.com.cn www.aimibb.com.cn www.hufeef.com.cn falv315.com.cn jukewuxian.com.cn yshu.net.cn www.pvza.com.cn www.mtaowu.com.cn unxe.com.cn kmpaige.com.cn