ntlm_auth --helper-protocol=gss-spnego

Andrew Bartlett abartlet at samba.org
Mon Apr 26 22:45:07 GMT 2004

On Tue, 2004-04-27 at 01:37, Henrik Nordstrom wrote:
> On Mon, 26 Apr 2004, Andrew Bartlett wrote:
> > The order is changed - SPENGO is a server-speaks-first protocol, so the
> > first YR gets things moving.
> Confused.. according to the MS docs I can find Negotiate over HTTP is a 
> client-speaks-first protocol just like NTLM over HTTP..
> [skipping the dummy step establishing that the Negotiate mechanism is at 
> all available]
> # Client calls InitializeSecurityContext() and generates a NegTokenInit, 
> does a base64 encoding of it, and resends the Get with the following 
> header: "Authorization: Negotiate <base64 encoding>" (e.g. Authorization: 
> Negotiate YIIGUQY<remainder of base64 encoded string>).
> * Server decodes the NegTokenInit, extracts the supported MechTypes (the
> one at the front of the MechTypeList should be either Kerberos Legacy or
> Kerberos V5), ensures it is one of the expected ones, and then extracts
> the MechToken and authenticates using gss_accept_security_context.
> * If gss_accept_security_context returns GSS_S_CONTINUE_NEEDED, the Web 
> server should return HTTP 401 (Unauthorized) status, and the response 
> token as "WWW-Authenticate: Negotiate <base64 encoding>" (e.g. 
> WWW-Authenticate: Negotiate oYIBLj<remainder of base64 encoded string>).
> How does this map to ntlm_auth gss-spnego if ntlm_auth is 
> "server-speaks-first"?

I think we need to modify ntlm_auth to understand that if the YR
contains client data (the NegTokenInit) that it is the first step in the
actual authentication, not just a request for mechanisms.

Like the NTLMSSP sever-side now does - YR and KK should be treated the
same, except that YR resets the server-side state machine.

> Still a little confused on how GSS-SPNEGO, Negotiate SSP, Kerberos SSP and
> NTLM SSP goes together, but most I could find indicates GSS-SPNEGO is the
> protocol implemented by the Negotiate SSP, running ontop of the NTLM
> and Kerberos SSP, but then at the same time most of the same documents
> seem to be very Kerberos specific..

That sounds correct.  Jeremy's 'security soup' presentation at
linux.conf.au and SambaXP makes good fun with this area ;-)

Andrew Bartlett

Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20040427/a328cf3f/attachment.bin

More information about the samba-technical mailing list