[Bug 59689] New: SEC_WINNT_AUTH_IDENTITY_EX support in AcquireCredentialsHandle
http://bugs.winehq.org/show_bug.cgi?id=59689 Bug ID: 59689 Summary: SEC_WINNT_AUTH_IDENTITY_EX support in AcquireCredentialsHandle Product: Wine Version: 11.7 Hardware: x86-64 OS: Linux Status: UNCONFIRMED Severity: normal Priority: P2 Component: secur32 Assignee: wine-bugs@list.winehq.org Reporter: winandfx@gmail.com Distribution: --- Created attachment 80794 --> http://bugs.winehq.org/attachment.cgi?id=80794 python crash log # Context I have a Python application which uses Windows DLLs so I was unable to run it on Linux. Then I've created a minimal Docker image with Wine 11.7 preinstalled https://github.com/Winand/wine-container I've used Kron4ek wine-11.7-staging-tkg-amd64 build but I think particularly for my issue it doesn't matter. My application works surprisingly well in Wine but I send notification emails via a corporate SMTP server and for authentication I use pyspnego library like it is described here https://stackoverflow.com/a/70788458. In Windows 10 there're no issues but in Wine the whole Python interpreter crashes on line:
auth = spnego.client(username, password, service="SMTP", protocol="ntlm")
I've started to investigate the problem (with the help of Gemini as it is more experienced than me) and noticed that `options=spnego.NegotiateOptions.use_ntlm` fixes the issue (because it doesn't use SSPI). # Problem I've found out that on the Python side the problem is within sspilib, specifically here: https://github.com/jborean93/pyspnego/blob/main/src/spnego/_sspi.py#L76 ``` def _get_sspi_credential( ... auth_data = sspilib.raw.WinNTAuthIdentity( ... return sspilib.raw.acquire_credentials_handle(**credential_kwargs, auth_data=auth_data).credential ``` sspilib.raw.WinNTAuthIdentity returns SEC_WINNT_AUTH_IDENTITY_EXW structure as described here https://learn.microsoft.com/en-us/windows/win32/secauthn/acquirecredentialsh... https://github.com/jborean93/sspilib/blob/main/src/sspilib/raw/_credential.p... But msv1_0.dll ntlm_SpAcquireCredentialsHandle expects SEC_WINNT_AUTH_IDENTITY_W structure https://gitlab.winehq.org/wine/wine/-/blob/master/dlls/msv1_0/main.c?ref_typ... https://gitlab.winehq.org/wine/wine/-/blob/master/dlls/secur32/lsa.c?ref_typ... In the crash log there's a line:
Unhandled exception: page fault on read access to 0x0000004800000200 in 64-bit code (0x006ffffff6746c). Gemini says that these are fields Version=0x02, Length=0x48(72 bytes) from SEC_WINNT_AUTH_IDENTITY_EXW. I'm not experienced enough to confirm this statement.
So I think the problem is that ntlm_SpAcquireCredentialsHandle doesn't support SEC_WINNT_AUTH_IDENTITY_EXW. The crash can be easily reproduced using just one line of code in my wine-container described at the beginning: $ WINEDEBUG=+secur32,+ntlm,+msv1_0 wine python3.12 -c 'from spnego._sspi import SSPIProxy; sspi = SSPIProxy("test@corp.com", "1234", "unspecified", "host")' -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=59689 --- Comment #1 from Hans Leidekker <hans@meelstraat.net> --- Created attachment 80799 --> http://bugs.winehq.org/attachment.cgi?id=80799 patch Can you try this patch? -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=59689 Austin English <austinenglish@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |austinenglish@gmail.com -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=59689 --- Comment #2 from Andrey M <winandfx@gmail.com> --- Created attachment 80806 --> http://bugs.winehq.org/attachment.cgi?id=80806 log with secur32 patch applied -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=59689 --- Comment #3 from Andrey M <winandfx@gmail.com> --- (In reply to Hans Leidekker from comment #1)
Created attachment 80799 [details] patch
Can you try this patch?
I think it works now. 1) Docker Ubuntu 22.04 container: apt update && apt install -y git build-essential flex bison curl gcc-multilib g++-multilib pkg-config libx11-dev cd ~ git clone --depth 1 https://gitlab.winehq.org/wine/wine.git cd wine git apply /work/secur32.patch ./configure --enable-win64 --without-x --without-freetype make -j12 2) copied newly built dlls/secur32/x86_64-windows/secur32.dll to /home/wine/.local/lib/wine/x86_64-windows/secur32.dll and /home/wine/.wine/drive_c/windows/system32/secur32.dll (wine prefix=/home/wine/.wine) 3) Run $ wine python3.12 -m pip install --break-system-packages pyspnego $ WINEDEBUG=+loaddll,+secur32,+ntlm,+msv1_0 wine python3.12 -c 'from spnego._sspi import SSPIProxy; sspi = SSPIProxy("test@corp.com", "1234", "unspecified", "host")' 4) Logs 00e0:trace:secur32:AcquireCredentialsHandleW (null) L"negotiate" 2 <...> 00e0:trace:secur32:lsa_AcquireCredentialsHandleW (null) L"negotiate" 0x2 <...> 00e0:trace:secur32:nego_SpAcquireCredentialsHandle 0000000000000000, 0x2, <...> 00e0:trace:ntlm:ntlm_SpAcquireCredentialsHandle <null>, 0x2, <...> 00e0:trace:ntlm:ntlm_SpAcquireCredentialsHandle username is L"test@corp.com" 00e0:trace:ntlm:ntlm_SpAcquireCredentialsHandle domain name is (null) -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=59689 Hans Leidekker <hans@meelstraat.net> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |RESOLVED Resolution|--- |FIXED Fixed by SHA1| |28f5eb7f0648b7645e04aff3e24 | |57dd380c8e064 --- Comment #4 from Hans Leidekker <hans@meelstraat.net> --- Fixed with 28f5eb7f0648b7645e04aff3e2457dd380c8e064. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=59689 Alexandre Julliard <julliard@winehq.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED --- Comment #5 from Alexandre Julliard <julliard@winehq.org> --- Closing bugs fixed in 11.8. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=59689 Andrey M <winandfx@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|FIXED |--- Status|CLOSED |UNCONFIRMED --- Comment #6 from Andrey M <winandfx@gmail.com> --- I've found out that it is not fully fixed for Python sspilib. It is fixed for protocol=negotiate, but not for protocol=ntlm. You can see in logs that nego_SpAcquireCredentialsHandle is not called when protocol=ntlm which means that SEC_WINNT_AUTH_IDENTITY_EXW is not converted to SEC_WINNT_AUTH_IDENTITY_W and we get the same error as before inside ntlm_SpAcquireCredentialsHandle. How to reproduce: Run container https://github.com/Winand/wine-container $ wine python3.12 -m pip install --break-system-packages pyspnego $ WINEDEBUG=+secur32,+ntlm,+msv1_0 wine python3.12 -c "import spnego; spnego._sspi.SSPIProxy('user', 'pass', service='SMTP', protocol='ntlm')" -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=59689 --- Comment #7 from Andrey M <winandfx@gmail.com> --- Created attachment 80866 --> http://bugs.winehq.org/attachment.cgi?id=80866 both sspilib logs for protocol="negotiate" and "ntlm" included -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=59689 Andrey M <winandfx@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |winandfx@gmail.com -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=59689 Andrey M <winandfx@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC|winandfx@gmail.com | -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
http://bugs.winehq.org/show_bug.cgi?id=59689 Hans Leidekker <hans@meelstraat.net> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |RESOLVED Resolution|--- |FIXED --- Comment #8 from Hans Leidekker <hans@meelstraat.net> --- NTLM support was added with 3078618009be907d48edd2d46a8c9610110156b4. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.
participants (1)
-
WineHQ Bugzilla