samba-technical.10.overbored at samba-technical.10.overbored at
Fri Aug 19 08:44:58 GMT 2005

Thus spake Michael B Allen - mba2000 at on 8/18/2005 11:33 PM:
> On Thu, 18 Aug 2005 15:44:21 -0700
> samba-technical.10.overbored at wrote:
>>This is the corresponding SMB session setup requests/responses. Are 
>>these entire security blobs just the direct outputs of the SSPI calls to 
> Pretty much. I think GSSAPI handles everything from NegToken* down
> but you might want to create a little Windows proggie that negotiates
> a security context with itself and then hexdump the buffers to verify
> what layers are handled exactly.
> Mike

I did as you suggested. I got the NTLMSSP buffers outputted by 
InitializeSecurityContext/AcceptSecurityContext from this program 
(change "Kerberos" to "NTLM"):

I compared these to my Ethereal dumps. It turns out that the portion of 
the Security Blob that is under the section of the Ethereal's dissection 
called "NTLMSSP" (see my screenshots). Everything in the Security Blob 
outside that is a mystery!

So, can anybody pinpoint what all that other stuff is, and how to 
generate it? (Using Windows APIs, perhaps?) Also, the entire Security 
Blob in the protocol negotiation response (the SPNEGO stuff) is just as 

Hopefully Samba4's gensec source won't be my only hope!

More information about the samba-technical mailing list