Getting Wine to do NTLMSSP authentication and what is needed on the
kai.blin at gmail.com
Sun Jul 2 19:18:56 GMT 2006
As you might know, I'm a Google SoC student implementing NTLMSSP
signing/sealing in Wine. I've worked on basic NTLM authentication for Wine
last year, using ntlm_auth. This road proved to be a dead end, though, as
ntlm_auth does not support signing or sealing packages.
Thus, after talking with Andrew Bartlett and Jelmer Vernooij on SambaXP 06, I
decided to give Samba4's GENSEC subsystem a try. (This is working pretty
well, and I have a set of patches that make use of GENSEC to do client
side authentication and encryption.)
As it happens, the Wine project is using the LGPL license and Samba is using
the GPL license for this part of the code. The plan was to spin out GENSEC as
a seperate library under the LGPL. Unfortunately, it seems like this is not
as easy as we expected.
Today I was talking to Stefan Metzmacher in IRC and he asked me to give a list
of features I need from this GENSEC library on the mailing list, and here
* NTLM and, if possible Negotiate authentication client side and server side,
again if possible.
My use case would be Outlook 2003 talking to an MS Exchange 2003 server,
authenticating using NTLM. So the bare minimum I could work with would be
client side NTLM authentication. To have the server side would be a bonus in
the long run.
* Package signing/verifying for NTLM
* Package sealing/unsealing for NTLM
My use case here would be Outlook 2003 from the above scenario signing or
encrypting communication to the Exchange server.
* The chosen solution should ideally be working for Wine in the near future.
Looking at those requirements and talking to a couple of people in
#samba-technical, I see a couple of possible solutions and I depend on your
help for most of them.
1) Spin out the minimal functionality GENSEC library and find a method to
handle server side functionality later. This approach has the downside that I
will be deleting some of the functionality I currently have in Wine, as
ntlm_auth can do server side authentication. On the plus side, it seems that
ntlmssp_server is the part that would be tricky to LGPL, client side seems
easier. I could also keep the old ntlm_auth code around for server side
authentication, which would add bloat to the Wine source, though.
2) Scratch the current approach using GENSEC and add handling of NTLMSSP blobs
to winbind. This would possibly go into Samba 3, and thus be part of a
distribution's Samba package sooner. It would also mean that there is a nice
IPC border between the GPL and the LGPL code, so no problems there. I would
need to rewrite that part of Wine yet again, though.
3) Extend ntlm_auth to also handle signing/sealing and extend the current Wine
code to use ntlm_auth for that, too. This would also keep the GPL and LGPL
code seperate and force me to ditch my current work, but at least I can keep
the stuff I did last year. It would add bloat to ntlm_auth, of course.
4) I could drop using Samba at all and try to extend libntlm. I don't
particularly fancy this idea, but there's a couple of people on the Wine side
who would prefer not to add another dependency to Wine, so it might be easier
to convince Alexandre Julliard to accept that code. I would again mean to
rewrite all the Wine code I wrote so far, plus it smells of reinventing (and
maintaining) the wheel.
Now as I'd like to have some results besides a GPL fork of Wine to show for
this summer of code, I would be willing to pick the solution that will get me
a result first. For solutions 1)-3) I would need the support of the Samba
team, of course.
I am willing to put some work into this on the Samba side, but only if I can
be sure that my patches will get accepted (after a reasonable amount of time
and bug fixes, of course).
So, what would be the preferred solution from the Samba side of things?
Thanks for reading this far, this email got longer than I expected.
 http://www.nowhere-productions.org/code/wine/patches/ (user and password
are "wine" without the quotes, to stop search engines from indexing the
patches, as they're not redistributable)
Kai Blin, <kai Dot blin At gmail Dot com>
WorldForge developer http://www.worldforge.org/
Wine developer http://wiki.winehq.org/KaiBlin/
Will code for cotton.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20060702/2e377e85/attachment.bin
More information about the samba-technical