Funny security blob in sesssetup&X.

Jim McDonough jmcd at
Wed Aug 28 07:52:08 GMT 2002

I'll map out what I see happen (and I'm sure this is a correct
interpretation, though there are other possible flows that I haven't seen).
(I) = initiator/client, (T) = target/server.  Please note that on each
SPNEGO call, all args are optional, and if I don't list them, they aren't
being sent on the wire.

First, I'll do the flow if NTLMSSP is negotiated:
1> (I) Negprot request, with extended security bit on

2> (T) Negprot reply, containing SPNEGO-encapsulated
NegTokenInit(mechTypes(MS's badly formed krb5 OID, real krb5 OID,
user-to-user krb5 OID,  NTLMSSP OID), mechListMIC(server principal))
(Notice: no reqFlags or mechToken is sent)

3> (I) SesssetupandX req, containing SPNEGO-encapsulated
NegTokenInit(mechTypes(only the NTLMSSP OID),  mechToken(NTLMSSP Negotiate

4> (T) Sesssetup resp with ERR_MORE_PROCESSING_REQUIRED, containing
NegTokenTarg(negResult(accept_incomplete), mechType(NTLMSSP OID), response
token(NTLMSSP challenge command), mechListMIC(exact duplication of the
NTLMSSP challenge command)) (note that the GSSAPI-SPNEGO encapsulation is
gone, just the NegTokenTarg goes on the wire)

5> (I) SesssetupandX req, containing NegTokenTarg(responseToken(NTLMSSP
auth command containing password hash(es)))

6> (T) Sesssetup resp containing NegTokenTarg(negResult(accept_complete))

The flow for client-server kerberos is:
1> same as above
2> same as above

OPTIONAL STEPS> do tgs-req and get tgs-reply from from KDC - these may
already be done.

3> (I) SesssetupandX req, containing SPNEGO-encapuslated
NegTokenInit(mechTypes(all 4 OIDS from step 2), mechToken(krb AP_REQ
containing ticket))
4> (T) Sesssetup resp, containing NegTokenTarg(negResult(accept_complete),
mechType(bad or good krb5 OID (bad if it's their system)), response
token(krb5 AP_REPLY), mechListMIC(exact duplicate of krb5 AP_REPLY))

Jim McDonough
IBM Linux Technology Center
Samba Team
6 Minuteman Drive
Scarborough, ME 04074

jmcd at
jmcd at

Phone: (207) 885-5565
IBM tie-line: 776-9984

More information about the samba-technical mailing list