Funny security blob in sesssetup&X.

Richard Sharpe rsharpe at ns.aus.com
Wed Aug 28 08:04:01 GMT 2002 

On Wed, 28 Aug 2002, Jim McDonough wrote:


OK, this is great. However, it seems that 1 & 2 are GSS-API encapsulated 
as well, while the rest are not.

> 
> I'll map out what I see happen (and I'm sure this is a correct
> interpretation, though there are other possible flows that I haven't seen).
> (I) = initiator/client, (T) = target/server.  Please note that on each
> SPNEGO call, all args are optional, and if I don't list them, they aren't
> being sent on the wire.
> 
> First, I'll do the flow if NTLMSSP is negotiated:
> 1> (I) Negprot request, with extended security bit on
> 
> 2> (T) Negprot reply, containing SPNEGO-encapsulated
> NegTokenInit(mechTypes(MS's badly formed krb5 OID, real krb5 OID,
> user-to-user krb5 OID,  NTLMSSP OID), mechListMIC(server principal))
> (Notice: no reqFlags or mechToken is sent)
> 
> 3> (I) SesssetupandX req, containing SPNEGO-encapsulated
> NegTokenInit(mechTypes(only the NTLMSSP OID),  mechToken(NTLMSSP Negotiate
> command))
> 
> 4> (T) Sesssetup resp with ERR_MORE_PROCESSING_REQUIRED, containing
> NegTokenTarg(negResult(accept_incomplete), mechType(NTLMSSP OID), response
> token(NTLMSSP challenge command), mechListMIC(exact duplication of the
> NTLMSSP challenge command)) (note that the GSSAPI-SPNEGO encapsulation is
> gone, just the NegTokenTarg goes on the wire)
> 
> 5> (I) SesssetupandX req, containing NegTokenTarg(responseToken(NTLMSSP
> auth command containing password hash(es)))
> 
> 6> (T) Sesssetup resp containing NegTokenTarg(negResult(accept_complete))
> 
> 
> The flow for client-server kerberos is:
> 1> same as above
> 2> same as above
> 
> OPTIONAL STEPS> do tgs-req and get tgs-reply from from KDC - these may
> already be done.
> 
> 3> (I) SesssetupandX req, containing SPNEGO-encapuslated
> NegTokenInit(mechTypes(all 4 OIDS from step 2), mechToken(krb AP_REQ
> containing ticket))
> 4> (T) Sesssetup resp, containing NegTokenTarg(negResult(accept_complete),
> mechType(bad or good krb5 OID (bad if it's their system)), response
> token(krb5 AP_REPLY), mechListMIC(exact duplicate of krb5 AP_REPLY))
> 
> ----------------------------
> Jim McDonough
> IBM Linux Technology Center
> Samba Team
> 6 Minuteman Drive
> Scarborough, ME 04074
> USA
> 
> jmcd at us.ibm.com
> jmcd at samba.org
> 
> Phone: (207) 885-5565
> IBM tie-line: 776-9984
> 
> 

-- 
Regards
-----
Richard Sharpe, rsharpe at ns.aus.com, rsharpe at samba.org, 
sharpe at ethereal.com

More information about the samba-technical mailing list