Getting Wine to do NTLMSSP authentication and what is needed on the Samba side

Kai Blin kai.blin at
Sun Jul 2 19:18:56 GMT 2006

Hello folks,

As you might know, I'm a Google SoC student implementing NTLMSSP 
signing/sealing in Wine. I've worked on basic NTLM authentication for Wine 
last year, using ntlm_auth. This road proved to be a dead end, though, as 
ntlm_auth does not support signing or sealing packages.

Thus, after talking with Andrew Bartlett and Jelmer Vernooij on SambaXP 06, I 
decided to give Samba4's GENSEC subsystem a try. (This is working pretty 
well, and I have a set of patches[1] that make use of GENSEC to do client 
side authentication and encryption.)

As it happens, the Wine project is using the LGPL license and Samba is using 
the GPL license for this part of the code. The plan was to spin out GENSEC as 
a seperate library under the LGPL. Unfortunately, it seems like this is not 
as easy as we expected.

Today I was talking to Stefan Metzmacher in IRC and he asked me to give a list 
of features I need from this GENSEC library on the mailing list, and here 

* NTLM and, if possible Negotiate authentication client side and server side, 
again if possible.

My use case would be Outlook 2003 talking to an MS Exchange 2003 server, 
authenticating using NTLM. So the bare minimum I could work with would be 
client side NTLM authentication. To have the server side would be a bonus in 
the long run.

* Package signing/verifying for NTLM
* Package sealing/unsealing for NTLM

My use case here would be Outlook 2003 from the above scenario signing or 
encrypting communication to the Exchange server.

* The chosen solution should ideally be working for Wine in the near future.

Looking at those requirements and talking to a couple of people in 
#samba-technical, I see a couple of possible solutions and I depend on your 
help for most of them.

1) Spin out the minimal functionality GENSEC library and find a method to 
handle server side functionality later. This approach has the downside that I 
will be deleting some of the functionality I currently have in Wine, as 
ntlm_auth can do server side authentication. On the plus side, it seems that 
ntlmssp_server is the part that would be tricky to LGPL, client side seems 
easier. I could also keep the old ntlm_auth code around for server side 
authentication, which would add bloat to the Wine source, though.

2) Scratch the current approach using GENSEC and add handling of NTLMSSP blobs 
to winbind. This would possibly go into Samba 3, and thus be part of a 
distribution's Samba package sooner. It would also mean that there is a nice 
IPC border between the GPL and the LGPL code, so no problems there. I would 
need to rewrite that part of Wine yet again, though.
3) Extend ntlm_auth to also handle signing/sealing and extend the current Wine 
code to use ntlm_auth for that, too. This would also keep the GPL and LGPL 
code seperate and force me to ditch my current work, but at least I can keep 
the stuff I did last year. It would add bloat to ntlm_auth, of course.

4) I could drop using Samba at all and try to extend libntlm[2]. I don't 
particularly fancy this idea, but there's a couple of people on the Wine side 
who would prefer not to add another dependency to Wine, so it might be easier 
to convince Alexandre Julliard to accept that code. I would again mean to 
rewrite all the Wine code I wrote so far, plus it smells of reinventing (and 
maintaining) the wheel.

Now as I'd like to have some results besides a GPL fork of Wine to show for 
this summer of code, I would be willing to pick the solution that will get me 
a result first.  For solutions 1)-3) I would need the support of the Samba 
team, of course. 

I am willing to put some work into this on the Samba side, but only if I can 
be sure that my patches will get accepted (after a reasonable amount of time 
and bug fixes, of course).

So, what would be the preferred solution from the Samba side of things? 

Thanks for reading this far, this email got longer than I expected.

[1] (user and password 
are "wine" without the quotes, to stop search engines from indexing the 
patches, as they're not redistributable)
Kai Blin, <kai Dot blin At gmail Dot com>
WorldForge developer
Wine developer
Will code for cotton.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url :

More information about the samba-technical mailing list