ASN.1 and some fun...

Mayers, Philip J p.mayers at ic.ac.uk
Mon Oct 30 22:04:32 GMT 2000


The NTLM stuff is advertised as an SNEGO sub-mechanism OID -
.1.3.6.1.4.1.311.2.2.10
(.iso.org.dod.internet.private.enterprises.microsoft.2.2.10). The actual
contents of the SNEGO packets are the ordinary NTLM auth exchanges, prefixed
with the ASCII test "NTLMSSP" (a "distinct OID" in Microsoft's words...
<pfff> yeah, right).

The Kerb5 OID is definitely "wrong" - 48018 = 0xBB92, and 113554 (what MIT
should be) is 0x1BB92 - hmm, I wonder, did someone at MS use a 16-bit
quantity where they shouldn't have?

The other OID you're thinking of is
.iso.org.dod.internet.security.kerberos5, which was used before the K5
mechanism was standardised (odd, you'd think it would go from an MIT OID to
a "public" one, not the other way).

I'll take a look at Heimdal.

Cheers,
Phil

-----Original Message-----
From: Nicolas Williams
To: Mayers, Philip J; samba-technical at samba.org
Sent: 30/10/00 21:14
Subject: Re: ASN.1 and some fun...



I think the NTLM stuff is not done in GSS-API/SPNEOG in W2K.

<snip>

Heimdal. http://www.pdc.kth.se/heimdal/

<snip>

I think there's two Kerberos GSS mechanism OIDs, because the original
spec was superceded by a new spec. Look it up, maybe the OID they use
isn't "wrong," just outdated.






More information about the samba-technical mailing list