http://bugs.winehq.org/show_bug.cgi?id=19212
--- Comment #1 from Kai Blin kai.blin@gmail.com 2009-07-06 03:09:49 --- Yeah, looks like we'll have to implement it. That's going to be a pain, as we either need to do the ASN.1 parsing ourselves or build on top of some ASN.1 library out there. Alternatively, we could base our SSPI code on top of Heimdal GSSAPI and hope that MIT GSSAPI catches up on the NTLM support soon (I heard RedHat was working on this). We'd still have to do SSL (SCHANNEL) ourselves, but IIRC you can only Negotiate (SPNEGO, as per RFC) between NTLM and Kerberos.
My estimate is that any of these solutions will take about two to four weeks development time to evaluate and implement, and testing this is going to be non-trivial as well. My preference would be to go via one of the GSSAPI libraries, as that'd allow us to care less about all of this. Given that I don't have time to implement anything in this area right now, that probably won't count much.