Hi folks,
Dimi asked me to give a little status about the single sing-on summer of code project I was doing to the list, and I'm happy to oblige.
Applications running on win32 can use the Security Support Provider Interface (SSPI) to handle authentication via a number of protocols, like kerberos, NTLM, Negotiate and Schannel. My project was to implement the NTLM and Negotiate protocols, using Andrew Bartlett's GENSEC implementation from samba4.
Samba offers a command line tool to provide NTLM ( and, in samba 4, Negotiate ) style authentication for other programs, so my task was to get wine to use ntlm_auth.
Things that got done: ---------------------
* Base64 codec ntlm_auth was first designed as a helper for squid. Squid talks to it's helpers using base64, wine just had an encoder for it.
* Code to run ntlm_auth ntlm_auth doesn't store all the state information needed for the protocol handshake, so some wrapping code was needed.
* Code that implements the security support providers for NTLM and Negotiate. To make the sspi functions behave properly, the api functions have to do the right thing.
Work still left to do: ----------------------
* Getting the code into cvs: While most of the code was already submitted to the wine-patches list, a lot of it was still in need of improvements. I'm currently working on this.
* Getting more of the stubs to actually do something While the code that exists so far can handle the basic NTLM and Negotiate authentication, a lot of functions defined in the API still are stubs.
Conclusion: -----------
As soon as the code is in cvs, wine should be able to do basic NTLM and Negotiate authentication, server and client side. Client side just requires ntlm_auth, server side also requires samba to be set up correctly, and when using samba 3, access to the winbindd named pipe for the user running wine.
Real use of this code seems limited, as most use cases also use the schannel protocol, which isn't implmented yet. Juan Lang is working on this, but needs to get more of crypt32 implemented for that.
I will continue to work on this, there's still a lot of providers to go.
I would like to use this summary to extend my thanks to Google and Chris DiBona for getting the whole Summer of Code set up.
Also, I'd like to thank you guys, particularly Juan, for the help I have recieved so far. It's really fun to work with the project, I hope to keep doing so for a while.
Kai
On Sun, 2005-09-25 at 23:44 +0200, Kai Blin wrote:
Hi folks,
Dimi asked me to give a little status about the single sing-on summer of code project I was doing to the list, and I'm happy to oblige.
Thank you! Sorry for the late reply, too much email lately :)
Getting the code into cvs: While most of the code was already submitted to the wine-patches list, a lot of it was still in need of improvements. I'm currently working on this.
Getting more of the stubs to actually do something While the code that exists so far can handle the basic NTLM and Negotiate authentication, a lot of functions defined in the API still are stubs.
While you have things still fresh in your mind, an explicit TODO up on the Wiki would be very useful. It would be a waste not to document all the context you have gathered during this project.
I'm particularly excited by the prospect of having a working SSO solution integrated into Wine. I think having a detailed list of items that need to be solved to get there would be very useful.
-
Dimi Paun -
Kai Blin