[cifs-protocol] Re: (More): Status: SRX080803600053: [MS-NLMP] raw NTLMSSP tokens in GSS-API/SPNEGO

Adam Simpkins simpkins at cisco.com
Tue Nov 4 18:15:06 GMT 2008


On Tue, Nov 04, 2008 at 02:57:00AM -0800, Bill Wesse wrote:
> Thank you very much for your considerations. I have filed a
> documentation change request against [MS-NLMP] concerning NTLMSSP
> InitialContextTokens (see 'Expected' below)..

Thanks, Bill.  I do have one comment about some of your text below:

> Expected:
> 
> Even though we are not claiming compliance with RFC4178, the interpretation of '3.2.  Negotiation Procedure' is a point of interest concerning how we embed the NTLM NEGOTIATE MESSAGE MechToken (Netmon 3.2 trace extract below, from the attached spnego_ntlmssp.cap, frame 6.

I just want to clarify that the main issue here is non-compliance with
RFC 2743, not RFC 4178.  There are two separate behaviors that need to
be addressed--the behavior without SPNEGO (raw_ntlmssp.cap and
gss_ntlmssp.cap) and the behavior with SPNEGO (spnego_raw_ntlmssp.cap
and spnego_gss_ntlmssp.cap).

I think the non-SPNEGO behavior is the most important aspect to
document clearly, and this involves only compliance with RFC 2743, not
RFC 4178.  The behavior of the Windows NTLM implementations of
GSS_Init_sec_context() and GSS_Accept_sec_context() are what is at
issue.

I think the documentation will be much more clear if it focuses mainly
on the differences from RFC 2743, and doesn't complicate the matter by
bringing in RFC 4178 unnecessarily.

If [MS-NLMP] is updated just to describe the Windows implementation
differences from RFC 2743 (without SPNEGO), then that should also
implicitly cover the SPNEGO descrepancies from RFC 4178.  Since RFC
4718 says that SPNEGO implementations should just invoke
GSS_Init_sec_context() and GSS_Accept_sec_context() for the inner
mechanism, proper descriptions of the Windows implementations of these
functions would cover the SPNEGO behavior too.  A minor note that
these behaviors also affect SPNEGO should be sufficient.

-- 
Adam Simpkins
simpkins at cisco.com


More information about the cifs-protocol mailing list