SOC project

Kai Blin blin at
Wed Apr 19 06:57:09 CDT 2006

* "Tom Spear (Dustin Booker, Dustin Navea)" <speeddymon at> [19/04/06, 05:52:32]:
> Kai, don't feel bad.  I actually do think it is a good idea, but to me 
> it looks like you are describing a proposal that will end up going into 
> samba's tree, not ours.  If you could clarify what this will do for 
> wine, I think you might generate a lil more contructive activity (vs 
> "yes please implement more game stuff!").
Sure, easy thing.

So far (since SOC 2005) wine implements SSPI authentication for NTLM
(and Negotiate, in theory, but that patch never made it) via a tool
provided by Samba, called ntlm_auth.

The problem with this approach is that ntlm_auth was never meant to do
much besides NTLM authentication for Squid. For anything besides
authenticating, ntlm_auth isn't feasible. This could of course be fixed
by hacking more functionality into ntlm_auth, but the Samba developers
already said they wouldn't accept patches that bloat ntlm_auth more than
it already is.

The OpenSource reaction to this would be forking the Samba4 code and doing
your own version, but I doubt that really is feasible. Especially as you
would then conflict with existing Samba installations.

Now, Samba4 exposes all this authentication/communication code in a
library you can load from an external program. Using this library to
handle authentication wouldn't change to the current setup. But when
using the library it's possible to do more than authentication, like
signing packages to make sure they were not tampered with and sealing
packages to make sure noone reads their content. Outlook 2003 seems to
use that.

As mentioned before, the only problem about this setup is that so far
GENSEC is only available under the GNU GPL and thus not directly
useable. The Samba people (Andrew Bartlett et al.) indicated that if
that was the only thing stopping us from using the lib, they would
relicense it to LGPL for us.

The benefits for Wine would be the following:
An easy way to implement the SSPI providers for NTLM, Negotiate,
Schannel and Kerberos, as those are handled by GENSEC. (We might decide
to go our own way for Schannel and Kerberos, Juan Lang might be able to
comment on that, he's working on the crypt32 api Schannel can
alternatively be built on). As GENSEC is a seperate library, it doesn't
need the rest of Samba4 installed, so it can be packaged extra. This way
Wine + Gensec would give you a platform to run your SSPI things on, as
opposed to Wine + Samba4, which might conflict with and already
installed samba3 install. Samba4 as a whole will not be released for any
time soon.

Whew, this got bigger than I expected.

Kai Blin, (blin at gmx dot net)
<Mercury> You don't have to be crazy to be a member of the project, but
          you will be.. <=:]

More information about the wine-devel mailing list