Getting Wine to do NTLMSSP authentication and what is needed on the Samba side

Stefan (metze) Metzmacher metze at
Mon Jul 3 09:54:20 GMT 2006

Hash: SHA1

Kai Blin schrieb:
> Looking at those requirements and talking to a couple of people in 
> #samba-technical, I see a couple of possible solutions and I depend on your 
> help for most of them.
> 1) Spin out the minimal functionality GENSEC library and find a method to 
> handle server side functionality later. This approach has the downside that I 
> will be deleting some of the functionality I currently have in Wine, as 
> ntlm_auth can do server side authentication. On the plus side, it seems that 
> ntlmssp_server is the part that would be tricky to LGPL, client side seems 
> easier. I could also keep the old ntlm_auth code around for server side 
> authentication, which would add bloat to the Wine source, though.
> 2) Scratch the current approach using GENSEC and add handling of NTLMSSP blobs 
> to winbind. This would possibly go into Samba 3, and thus be part of a 
> distribution's Samba package sooner. It would also mean that there is a nice 
> IPC border between the GPL and the LGPL code, so no problems there. I would 
> need to rewrite that part of Wine yet again, though.

I would vote for a combination of 1) and 2)

I think we should only pass authentification blobs to winbind,
so that ntlmssp_server.c works with a generic backend,
the current one to samba's auth subsystem.

and one that passes the blob's from gensec_update() to winbind

but the sign and seal should be part of the LGPL'ed library,
as asking winbind for each packet for en/decrypting would be bad!

Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with SUSE -


More information about the samba-technical mailing list