Separate the ntlm_auth features that Wine needs into another package that doesn't require winbindd client.

Wine needs the winbind package for its ntlm-auth functions. Ideally, these would be provided by a minimalistic version of the samba package that had no such daemon. So, I am retargetting this bug towards samba (which provides winbind). Thank you for reporting!

On Thu, 2009-03-05 at 21:00 +0000, Scott Ritchie wrote:
> Wine needs the winbind package for its ntlm-auth functions. Ideally,
> these would be provided by a minimalistic version of the samba package
> that had no such daemon. So, I am retargetting this bug towards samba
> z(which provides winbind). Thank you for reporting!
This doesn't make sense. ntlm_auth is a tool that's sole purpose is
communicating with winbindd. winbindd already doesn't depend on samba
itself.

Cheers,

Jelmer
--
Jelmer Vernooij <email address hidden> - http://samba.org/~jelmer/
Jabber: <email address hidden>

Sorry, I got confused by earlier reports saying that installing winbind (and just winbind) caused things to break, I figured something more substantial had to be going on

Confirmed, thanks for reporting.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

ntlm_auth is a companion utility to winbind, it doesn't work without it.
    Providing a minimalized version of the winbind package doesn't make
much sense, as it would render ntlm_auth unusable.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iJwEAQECAAYFAkm5NlcACgkQDLQl4QYPZuVgSAP/UR74Ch7ldN2GzDU3DgrAeoey
lFQLICSy7YeFZpaC/EhojfueysKVxFCBXS4XLnXDeaWYYq2KcjDpcEQHbojAxsAW
w8mMyvgVG6KTIkAbSl4Wbc7zTl15uFTdq9lfsSDC+16n2nXYHaLofH093UUCSmpm
fmIadfY3hgjk4RzqZY4=
=W76b
-----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

It would be possible to have winbind only started before ntlm_auth is
used, but this could mean the user would have to wait some time before
being able to use ntlm_auth from wine.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iJwEAQECAAYFAkm5N5oACgkQDLQl4QYPZuU2LAP/X0mRMutt4JyZEqtZJ3RZhRiK
lytg+7ETIzJ2mWNEiqLobGwR/buZ5qQ1QHfpNmoT2W/nPT+yFSDtL9mt73y7Zw2Q
4otHFv6szDrO9mtc/WynjY98tVnFrJvkpTkl5vMZdzUqTMZQkcKbq5ebbF+xo1j0
47bBqAvLfwGuu3UKd/Q=
=gvnc
-----END PGP SIGNATURE-----

Another side-affect of this is, that after installing winbindd, samba tries to authenticate every connecting user though winbind, which effectively renders security=share nonfunctional.

It took quite some time to debug what’s wrong with samba, so installing wine shouldn’t break samba-shares!

This has been historically causing more breakage than it should, IMHO. Lots of people that just want to run a Windows game end up with a broken winbindd on their workstation as a result...

Scott: how much does Wine depend on ntlm-auth ? It seems like for most Wine usage, NTLM authentication is overkill. Would there be any way to make Wine optionally use ntlm-auth if present, and have Wine suggest winbindd instead of depending on it ?

In maverick, now that the winbind package configures a PAM module by default (bug 282751), this is more serious than just starting a useless daemon.

One side effect of pam_winbind is that sudo now prompts for a second password if you hit Ctrl+C at the first prompt. Because this second password prompt is generated by pam_winbind, it doesn’t work even if you type the right password.

As Thierry and Anders pointed out above, this might be causing breakage. See bug #605326, for example.

Considering we are installing recommended package by default, this ought to be reviewed. I think winbind should be made a Suggests of wine instead, since the NTLM authentication feature is not something most users will actually need or want. That's what Debian does too.

I do not see how this could be fixed in samba. Spinning ntlm_auth in its own package would not help, as it would (likely) depends in turn on winbind. I am retargeting this bug to wine again (sorry, Scott) so it can get some discussion.

Kai just corrected me - ntlm_auth doesn't necessarily (but usually) require winbind, but also has some functionality that doesn't require winbind - functionality that is used by wine.

Some comments as the author of the Wine code that makes use of ntlm_auth here.

First and foremost, ntlm_auth works just fine without winbindd running in client mode. This is the mode that most of the Wine users that need NTLM auth will use. A good use case would be using Outlook against Exchange with crypto enabled. winbindd is only needed if the user is trying to authenticate users, for example for running RPC servers.

That said, most Wine users probably run games and not Outlook, so they never use NTLM (there's games and IM clients that support NTLM, but they're probably a minority). I don't have the impression that the average Ubuntu user is running in an office environment. So while in my opinion the real cause for the breakage is that installing winbindd fiddles with your PAM settings, I guess the best fix that'll hurt the least number of users is to downgrade winbind from Recommends to Suggests. I find it regrettable that GUI package managers automagically pull in Recommends and never mention Suggests, but that is probably done to make life easier for the average user as well.

To sum up, while the view that ntlm_auth is useless without winbind is wrong, I guess the suggested fix is the least pain for the least amount of work.

Per Kai, I'll downgrade Wine, but I'm reopening a wishlist samba task because it is in fact possible to do "the right thing" here.

This bug was fixed in the package wine1.6 - 1:1.6.2-0ubuntu6

---------------
wine1.6 (1:1.6.2-0ubuntu6) utopic; urgency=medium

  * Remove experimental pthread patch (causes regressions)
    - http://bugs.winehq.org/show_bug.cgi?id=36772
    - http://bugs.winehq.org/show_bug.cgi?id=36744
  * Actually apply the extraneously large buffer revert patch
    - Was somehow turned off in previous update
    - Reduces audio latency; upstream only increased buffer for non-linux drivers
  * Build-depend on ocl-icd-opencl-dev instead of its deps (LP: #1371196)
    - Remove direct build-depend on ocl-icd-libopencl1 and opencl-headers
  * Add Arabic and Japanese translations for the .desktop files (LP: #1320290)
    - Thank you Akira Nakagawa
  * Remove ocl-icd-libopencl1 from recommends (LP: #1313123, #1376587)
    - Spurious as there is an automatic dependency on it or its substitutes
    - Might fix some installability problems on proprietary drivers
  * Exclude libpulse0 from auto-dependency generation (LP: #1226314)
    - It correctly remains a recommends, as it is possible to run Wine without pulseaudio
    - debian/rules: exclude winepulse.drv.so from parsing by dh_shlibdeps
  * Import patch to mostly fix wine icon appearing instead of app icon (LP: #1103833)
    - Patch courtesy Michael Müller, possibly to be replaced by later patches
  * Downgrade winbind from Recommends to Suggests (LP: #302148)
 -- Scott Ritchie <email address hidden> Mon, 06 Oct 2014 14:22:27 -0700