ntlm_auth --helper-protocol=gss-spnego

Andrew Bartlett abartlet at samba.org
Mon Apr 26 13:55:49 GMT 2004

On Mon, 2004-04-26 at 23:03, Henrik Nordstrom wrote:
> In what ways does the gss-spnego helper protocol differ from the 
> squid-2.5-ntlmssp protocol besides using SPNEGO blobs instead of NTLMSSP 
> blobs?

The order is changed - SPENGO is a server-speaks-first protocol, so the
first YR gets things moving.

There is a Cyrus-SASL patch here, the second half is for SPENGO:


In particular note (from vl's patch):

/* The child's reply contains 3 parts:
+	   - The code: TT, AF or NA
+	   - The blob to send to the client, coded in base64
+	   - The argument:
+	         For TT it's a dummy '*'
+		 For AF it's domain\\user
+		 For NA it's the NT error code
+	*/

> Further, am I correct in that this mode implements the NEGOTIATE SSP blobs
> including buth NTLM and Kerberos, or is it just the Kerberos side of
> things?

It is both.  The kerberos side requires access to the secrets.tdb, but
otherwise it should be fairly normal.  I've not tested it in a while

> The reason to this question is that I am toying with the idea to add 
> NEGOTIATE/SPNEGO support to Squid.


Andrew Bartlett

Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20040426/3a864760/attachment.bin

More information about the samba-technical mailing list