SingleSignOn
This idea was discussed at WineConf2005: Wine is starting to support tokens, SIDs and whatnot in the wineserver, mainly due to work by RobShearman. Currently the tokens are fake administrator tokens, with no login happening to support them. We would like to be able to support logging in to a remote server in order to support "real" tokens. This might allow, for example, a single login to Wine, followed by transparent RPC to a remote server in the same domain. At the same time, we'd like the current no-login configuration to continue to work.
In order for this to happen, a WineLogon program would probably be needed, that would authenticate a user. To be fully compatible with Windows, it would actually call a GINA (Graphical Identification aNd Authentication) dll to do it. The default GINA, MSGINA, calls LsaLogonUser to authenticate a user. This in turn just forwards to an authentication provider, which by default is the MSV1_0 provider.
It's a big goal, and what's been done (or being done) is much narrower in scope than that.
Right now we are using the ntlm_auth program from Samba to:
- authentication against a Windows/Samba server
- encrypting (decrypting) packets to (from) a Windows/Samba server
Both are done by using the NTLM security provider implemented in secur32.dll. This work was done by KaiBlin for the Google Summer of Code 2005 and the Google Summer of Code 2006. Kai is planning to add the Negotiate and Kerberos scurity providers next, so stay tuned for more from Kai.
secur32.dll also provides support for the SSL/TLS providers, at least in native. This doesn't have much to do with SingleSignOn, but see JuanLang's page for more on those.
See also: