Heimdal SPNEGO Won't Eat Negprot GSSAPI Token

Andrew Bartlett abartlet at samba.org
Wed Oct 12 02:43:18 GMT 2005

On Tue, 2005-10-11 at 20:55 -0400, Michael B Allen wrote:
> Hey,
> I'm playing around with Heimdal GSSAPI and noticed gss_init_sec_context
> will not accept the NegTokenInit SPNEGO token provided in an
> SMB_COM_NEGOTIATE response. In fact due to some internal shortcuts it
> won't accept a NegTokenInit at all (presumably because it only supports
> Kerberos which can be completed in one exchange).

There is some work for this in the mech-glue branch of Heimdal, I

> So I thought I might work on some patches so that it eats this initial
> token and either returns an error because Kerberos 5 isn't advertised
> or GSS_S_CONTINUE_NEEDED. Also, I'm at least thinking about NTLMSSP.

The Samba3 SPNEGO is really, really dodgy.  I suggest first looking at
making it accept Samba4's SPNEGO.  You could even write a 'local'
testsuite in Samba4 to check against GENSEC directly.

> But from reading GSSAPI C bindings v2 RFC 2744 Section 5.19:
>     Initially, the input_token parameter should be specified either as
>     GSS_C_NO_BUFFER, or as a pointer to a gss_buffer_desc object whose
>     length field contains the value zero.
> Mmm, should I just pretend I didn't hear this? What am I supposed to do
> with the initial SPNEGO token returned in the SMB_COM_NEGOTIATE response?

I suppose so.  

Andrew Barteltt

Andrew Bartlett                                http://samba.org/~abartlet/
Samba Developer, SuSE Labs, Novell Inc.        http://suse.de
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20051012/a83865b2/attachment.bin

More information about the samba-technical mailing list