ntlm_auth --helper-protocol=gss-spnego
Andrew Bartlett
abartlet at samba.org
Mon Apr 26 13:55:49 GMT 2004
On Mon, 2004-04-26 at 23:03, Henrik Nordstrom wrote:
> In what ways does the gss-spnego helper protocol differ from the
> squid-2.5-ntlmssp protocol besides using SPNEGO blobs instead of NTLMSSP
> blobs?
The order is changed - SPENGO is a server-speaks-first protocol, so the
first YR gets things moving.
There is a Cyrus-SASL patch here, the second half is for SPENGO:
http://websvn.samba.org/filedetails.php?rep=0&path=trunk/patches/ntlm_sasl.diff&rev=0&sc=1
In particular note (from vl's patch):
/* The child's reply contains 3 parts:
+ - The code: TT, AF or NA
+ - The blob to send to the client, coded in base64
+ - The argument:
+ For TT it's a dummy '*'
+ For AF it's domain\\user
+ For NA it's the NT error code
+ */
+
> Further, am I correct in that this mode implements the NEGOTIATE SSP blobs
> including buth NTLM and Kerberos, or is it just the Kerberos side of
> things?
It is both. The kerberos side requires access to the secrets.tdb, but
otherwise it should be fairly normal. I've not tested it in a while
however.
> The reason to this question is that I am toying with the idea to add
> NEGOTIATE/SPNEGO support to Squid.
GREAT!
Andrew Bartlett
--
Andrew Bartlett abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team abartlet at samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20040426/3a864760/attachment.bin
More information about the samba-technical
mailing list