http://bugs.winehq.org/show_bug.cgi?id=19781 --- Comment #2 from Dmitry Timoshkov <dmitry(a)codeweavers.com> 2009-09-23 05:14:03 --- In order to simplify debugging I've added all environment varibales from vsvars32.bat to System\CurrentControlSet\Control\Session Manager\Environment, and run 'mspdbsrv.exe -start -spawn ' and 'cl -Zi hello.c' from separate terminals. Dan, could you please generate and attach the +relay,+seh,+tid,+secur32,+ntlm log to see if that shows the same failure (with ntlm_auth) I have? Just in case that should be WINEDEBUG=+relay,+seh,+tid,+secur32,+ntlm wine cl -Zi hello.c &>~/cl.log -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.

http://bugs.winehq.org/show_bug.cgi?id=19781 --- Comment #4 from Dmitry Timoshkov <dmitry(a)codeweavers.com> 2009-09-23 09:18:07 --- (In reply to comment #3)

I can reproduce this here. Looks like ntlm_auth fails because it's not supplied with a password and it can't retrieve any cached credentials.

Yep, exactly the same symptoms here.

I wonder if such a call sequence would succeed on Windows because the user has already logged on to the OS?

I don't see anything wrong with the call sequence, the app does AcquireCredentialsHandleW() followed by InitializeSecurityContextW(). That's a normal sequence to start with. -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.

http://bugs.winehq.org/show_bug.cgi?id=19781 --- Comment #6 from Dmitry Timoshkov <dmitry(a)codeweavers.com> 2009-09-30 07:54:41 --- The app does: GetUserNameEx(NameSamCompatible, user_name, &len); RpcBindingSetAuthInfoExW(&binding, user_name, RPC_C_AUTHN_LEVEL_PKT_PRIVACY, RPC_C_AUTHN_WINNT, NULL, RPC_C_AUTHN_DEFAULT, &qos); then an RPC call happens which leads to InitializeSecurityContextW() which fails. The problem seems to be caused by the fact that the app doesn't pass any authentication info to RpcBindingSetAuthInfoExW, although MSDN states that "When using the RPC_C_AUTHN_WINNT authentication service AuthIdentity should be a pointer to a SEC_WINNT_AUTH_IDENTITY structure" and "Specify a null value to use the security login context for the current address space." The app passes NULL as AuthIdentity handle, and RpcBindingSetAuthInfoExW tries to get an existing authentication credentials, and it appears that secur32/ntlm_auth can't cope with that. -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.

http://bugs.winehq.org/show_bug.cgi?id=19781 --- Comment #8 from Hans Leidekker <hans(a)meelstraat.net> 2009-10-06 03:34:19 --- I've submitted a test showing that InitializeSecurityContext returns SEC_I_CONTINUE_NEEDED after supplying null authentication data to AcquireCredentialsHandle. The problem is that on Wine there's currently no concept of a "security login context for the current address space", as msdn calls it. This is what will be used when you pass null authentication data to AcquireCredentialsHandle. You can work around this bug by caching credentials, e.g. with code like this: CREDENTIALA cred; static WCHAR pwd[] = {'p','w','d'}; static char user[] = {'h','o','s','t','\\','u','s','e','r',0}; memset(&cred, 0, sizeof(cred)); cred.Type = CRED_TYPE_DOMAIN_PASSWORD; cred.TargetName = user; cred.CredentialBlobSize = sizeof(pwd); cred.CredentialBlob = (LPBYTE)pwd; cred.Persist = CRED_PERSIST_SESSION; cred.UserName = user; CredWriteA(&cred, 0); Substituting static data appropriately, of course. Now InitializeSecurityContext will return SEC_I_CONTINUE_NEEDED and we run into another crash: 001a:Ret secur32.EncryptMessage() retval=80090321 ret=7eb3f895 001a:err:rpc:RPCRT4_SecurePacket EncryptMessage failed with 0x80090321 001a:Call ntdll.RtlFreeHeap(00110000,00000000,001699b8) ret=7eb408ce 001a:Ret ntdll.RtlFreeHeap() retval=00000001 ret=7eb408ce 001a:Call ntdll.RtlFreeHeap(00110000,00000000,00169b10) ret=7eb3f356 001a:Ret ntdll.RtlFreeHeap() retval=00000001 ret=7eb3f356 001a:Call KERNEL32.RaiseException(00000721,00000000,00000000,00000000) ret=7eb4d405 80090321 == SEC_E_BUFFER_TOO_SMALL. Is rpcrt4 calling EncryptMessage too early, i.e. before completing the ntlm handshake? -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.

http://bugs.winehq.org/show_bug.cgi?id=19781 --- Comment #10 from Kai Blin <kai.blin(a)gmail.com> 2009-10-14 01:13:15 --- I'll try to get this setup on my system, but while I'm looking into that, could anybody who already has the setup get me a +ntlm,+secur32 trace? One other thing.. ntlm_auth doesn't do authentication standalone. Is vc expecting to have a domain environment around? If it's trying to do NTLM auth locally, we're in trouble, as we can't do that. We could try and fake something there, but I haven't seen any calls to AcceptSecurityContext, so I'm not sure if that's being called at all. -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.

http://bugs.winehq.org/show_bug.cgi?id=19781 --- Comment #12 from Dmitry Timoshkov <dmitry(a)codeweavers.com> 2009-10-14 02:48:35 --- Here is the test: http://source.winehq.org/git/wine.git/?a=commitdiff;h=8bb68933ea37766c3fd4ed... And yes, the app tries to get an authentication with the local service via rpc. -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.

http://bugs.winehq.org/show_bug.cgi?id=19781 Kai Blin <kai.blin(a)gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |kai.blin(a)gmail.com --- Comment #14 from Kai Blin <kai.blin(a)gmail.com> 2009-10-14 06:36:00 --- (In reply to comment #11)

The test Hans added is supposed to replicate the problem. Does the test pass for you?

Right, I missed that. Sorry. Nope, as expected it doesn't pass for me either. This is Rob's cached credentials code, I never got the Wine-side credential cache to work myself. :) I know of one user who uses the winbind cached credentials, but the wine cred cache seems to be pretty un-tested (and broken, no big surprise). (In reply to comment #12)

And yes, the app tries to get an authentication with the local service via rpc.

I think we could cheat our way through this here. I haven't looked into this stuff for a while, but all we need to come up with for the local case is a username/password combination ntlm_auth will accept for the "server" side. You can easily bypass the usual check ntlm_auth does for the server side by running ntlm_auth with --username=user --password=pass --domain=dom So assuming ntlm_GetCachedCredential() returned user WINE\bob and password secret if there's no real cached credentials... we'll handsomely break winbind-based cached credentials if we need to authenticate against a remote server. I'll have to give this some more thought. Sorry I can't provide you with a ready solution here. A long-term fix would be to get Samba winbindd to also be able to authenticate local users (like the local SAM on a windows machine) and store that user's creds in the winbind cache at login time, just like it does for domain logins. Then Wine could always use the winbind credentials cache. Unfortunately, winbindd can't do that quite yet, probably a couple of man-weeks worth of work on Wine and Samba if you know where to look. -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.

http://bugs.winehq.org/show_bug.cgi?id=19781 --- Comment #16 from Kai Blin <kai.blin(a)gmail.com> 2009-10-14 12:47:56 --- Created an attachment (id=24129) --> (http://bugs.winehq.org/attachment.cgi?id=24129) Use empty passwird if cached credentials fail Work-around for the failing cached credentials. This sends an empty password to make ntlm_auth happy. With this workaround, we should be able to get to the point where the server side of the RPC fails. -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.

http://bugs.winehq.org/show_bug.cgi?id=19781 --- Comment #18 from Kai Blin <kai.blin(a)gmail.com> 2009-10-15 01:36:57 --- Can I get a +ntlm trace of that, please? -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.

http://bugs.winehq.org/show_bug.cgi?id=19781 --- Comment #20 from Dan Kegel <dank(a)kegel.com> 2009-10-21 23:22:43 --- I'm jonesin' for this; being able to builds the memcheck test suite under wine with /Zi, and then run it under valgrind+wine would be quite the hat trick. What's the current status? -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.

http://bugs.winehq.org/show_bug.cgi?id=19781 --- Comment #22 from Hans Leidekker <hans(a)meelstraat.net> 2009-10-22 02:17:49 --- Perhaps you demoed outlook in rpc over https mode? In which case ntlm authentication works fine. I agree that secure rpc's likely have not worked before. At least I can't find the code to build all of the corresponding packets. I found this old perl implementation, perhaps it's useful: http://cpansearch.perl.org/src/UMVUE/DCE-RPC-0.11/lib/DCE/RPC.pm -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.

http://bugs.winehq.org/show_bug.cgi?id=19781 --- Comment #24 from Kai Blin <kai.blin(a)gmail.com> 2009-10-29 03:21:41 --- (In reply to comment #23)

thanks for looking at this. Hope university releases its grip enough to let you wrap your head around it soon! What's the prognosis?

Well, _if_ I could find my way around the horrible mess that is our RPC code, I might be able to do something. I keep wasting the few hours I have per week at poking around the rpc code. Basically, RPCRT4_ClientAuthorize needs to send the buffer returned from InitializeSecurityContext to the server, then receive the reply from the server and loop on doing that until the result from InitializeSecurityContext isn't SEC_I_CONTINUE anymore. However, so far I haven't managed to find out how to do the "send to server" and "receive from server" parts are supposed to work. I'm stuck at that point. -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.

http://bugs.winehq.org/show_bug.cgi?id=19781 --- Comment #26 from Hans Leidekker <hans(a)meelstraat.net> 2009-11-04 05:04:04 --- I was wrong, it appears that authentication services need to be registered by the rpc server and ncalrpc simply has RPC_C_AUTHN_WINNT registered by default. So, after a call to RpcServerRegisterAuthInfo, my test appears to do secure rpcs over ncacn_ip_tcp. -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.

http://bugs.winehq.org/show_bug.cgi?id=19781 --- Comment #28 from Kai Blin <kai.blin(a)gmail.com> 2009-11-07 04:59:42 --- Actually the problem is that the rpc server side in Wine does not handle authentication whatsoever. It never calls out to SSPI and never attaches a challenge packet to the BIND_ACK reply, so the rpc client code never finishes the handshake. So technically this is an rpc bug. :) -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.

http://bugs.winehq.org/show_bug.cgi?id=19781 --- Comment #29 from Rob Shearman <robertshearman(a)gmail.com> 2009-11-07 07:23:06 --- While the app here may benefit from work to add support for authentication on the server side, I suspect that authentication over ncalrpc is special cased to be a no-op in the native DLL. This is supported by Hans' findings that RpcServerRegisterAuthInfo does not need to be called on the server side for the client to be able to succeed whilst specifying NTLM authentication to be applied. More tests need to be done to see whether the identity passed into RpcBindingSetAuthInfo is seen on the server side (RpcBindingInqAuthClient) for ncalrpc & ncacn_ip_tcp. -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.

http://bugs.winehq.org/show_bug.cgi?id=19781 Hans Leidekker <hans(a)meelstraat.net> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #24545|0 |1 is obsolete| | --- Comment #30 from Hans Leidekker <hans(a)meelstraat.net> 2009-11-17 04:08:59 --- Created an attachment (id=24799) --> (http://bugs.winehq.org/attachment.cgi?id=24799) rpcrt4: Add secure rpc tests.

applied. More tests need to be done to see whether the identity passed into RpcBindingSetAuthInfo is seen on the server side (RpcBindingInqAuthClient) for ncalrpc & ncacn_ip_tcp.

These updated tests succeed here on Windows and crash in the same way cl.exe does on Wine. RpcBindingInqAuthClient does not return a handle to the client identity in the Privs parameter in case of ncalrpc, if that's what you mean. Instead it returns the principal as a Unicode string, as documented on MSDN. -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.

http://bugs.winehq.org/show_bug.cgi?id=19781 --- Comment #32 from Dan Kegel <dank(a)kegel.com> 2009-11-29 18:53:11 --- Close, but not quite there yet. Doing rm -rf ~/.wine sh winetricks vc2005trial cd ~/.wine/drive_c/Program Files/Microsoft Visual Studio 8/Common7/Tools cp ~/hello.c . wine cmd vsvars32.bat cl -Zi hello.c yields fixme:ole:NdrCorrelationInitialize (0x33e330, 0x33df30, 1024, 0x0): stub fixme:ole:NdrCorrelationInitialize (0x33e330, 0x33df30, 1024, 0x0): stub fixme:rpc:NdrStubCall2 new correlation description not implemented fixme:rpc:calc_arg_size Unhandled type 30 err:rpc:I_RpcReceive we got fault packet with status 0x3e6 fixme:ole:NdrCorrelationInitialize (0x33e330, 0x33df30, 1024, 0x0): stub fixme:rpc:NdrStubCall2 new correlation description not implemented fixme:rpc:calc_arg_size Unhandled type 30 fixme:ole:NdrCorrelationFree (0x33e330): stub hello.c : fatal error C1902: Program database manager mismatch; please check your installation which seems a less dire set of errors than in the original post, but still the app didn't work. (I'm pretty sure the same problem affects both vc2005 trial and vc2005 express.) -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.

http://bugs.winehq.org/show_bug.cgi?id=19781 Ian McLean <ian(a)perceptivepixel.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |ian(a)perceptivepixel.com --- Comment #34 from Ian McLean <ian(a)perceptivepixel.com> 2009-12-12 17:00:41 --- I've confirmed that Rob's two latest patches enable PDB generation with: MSPDB71.DLL version 7.10.6030 MSPDB80.DLL version 8.0.50727.762 MSPDB80.DLL version 9.0.30729.1 Built with: CL.EXE version 13.10.6030 CL.EXE version 14.00.50727.762 CL.EXE version 15.00.30729.01 AKA: Microsoft Visual Studio .NET 2003 Microsoft Visual Studio 2005 Microsoft Visual Studio 2008 Non-trivial test; over 500MB of PDBs; many applications and DLLs. Thank you! This closes our cross-compile loop for development builds. -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.

http://bugs.winehq.org/show_bug.cgi?id=19781 --- Comment #36 from Dan Kegel <dank(a)kegel.com> 2009-12-16 02:24:01 --- I see some patches are committed. Is this fixed in git, then? -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.

http://bugs.winehq.org/show_bug.cgi?id=19781 Dan Kegel <dank(a)kegel.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED Resolution|FIXED | --- Comment #38 from Dan Kegel <dank(a)kegel.com> 2010-01-04 16:25:47 --- Doesn't seem fixed here today. I did 'winetricks msvc2005trial', then wine cmd vsvars32.bat cl -Zi hello.c or equivalently cd ~/.wine/drive_c/Program Files/Microsoft Visual Studio 8/Common7/IDE wine cl -Zi hello.c but it failed with fixme:rpc:RpcBindingSetAuthInfoExW unsupported AuthnSvc 10 hello.c : fatal error C1902: Program database manager mismatch; please check your installation :-( This was with this morning's git. -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.

http://bugs.winehq.org/show_bug.cgi?id=19781 --- Comment #40 from Dan Kegel <dank(a)kegel.com> 2010-01-04 16:48:45 --- Happens with both Visual C++ 2005 Trial (which takes ages to install) and Visual C++ 2005 Express (which is quite quick to install with winetricks -q vc2005express ). -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.

http://bugs.winehq.org/show_bug.cgi?id=19781 --- Comment #42 from Kai Blin <kai.blin(a)gmail.com> 2010-01-05 05:29:02 ---

Maybe we need a winediag log message to catch this case. (In the past, having a missing ntlm_auth module was a no-op, so if there's a warning, people's eyes are trained to ignore it...)

There should be a very obvious ERR output if ntlm_auth is missing, along with suggestions on what package to install to fix said problem. If people are ignoring that error and complain about authentication errors, I don't know how to fix _that_. -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.

http://bugs.winehq.org/show_bug.cgi?id=19781 --- Comment #44 from Kai Blin <kai.blin(a)gmail.com> 2010-01-05 06:37:12 --- (In reply to comment #43)

It's obvious, but it's usually totally safe to ignore, so I do ignore it.

Can you generate that warning only in situations where it really matters?

Currently it's generated when secur32.dll is loaded and fails to initialize the NTLM provider. That seemed like a sane spot for me. It might make sense to add another error in the rpcrt at the point where it expects to use the RPC_C_AUTHN_WINNT AuthSvc and that's not provided. However, that'll only help for apps that get to the secur32 code via the rpcrt4 code. Apps that explicitly use secur32 show different patterns of selecting the provider they want to use, and on secur32.dll load is the only sane spot to complain about ntlm_auth missing. -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.

http://bugs.winehq.org/show_bug.cgi?id=19781 --- Comment #46 from Dan Kegel <dank(a)kegel.com> 2010-01-05 12:18:31 --- 'apt-get install winbind' on the affected machine does indeed solve the problem. -- Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email Do not reply to this email, post in Bugzilla using the above URL to reply. ------- You are receiving this mail because: ------- You are watching all bug changes.

https://bugs.winehq.org/show_bug.cgi?id=19781 Anastasius Focht <focht(a)gmx.net> changed: What |Removed |Added ---------------------------------------------------------------------------- Fixed by SHA1| |d412bcc3aef1ccec410b82fac74 | |e4e55897d9438 CC| |focht(a)gmx.net -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.