Heimdal SPNEGO Won't Eat Negprot GSSAPI Token

Andrew Bartlett abartlet at samba.org
Wed Oct 12 05:25:47 GMT 2005

On Wed, 2005-10-12 at 00:02 -0400, Michael B Allen wrote:
> On Wed, 12 Oct 2005 12:43:18 +1000
> Andrew Bartlett <abartlet at samba.org> wrote:
> > There is some work for this in the mech-glue branch of Heimdal, I
> > think.  
> Where's that?

Well-hidden.  I just want to check with lha before posting it to a
public list.

> > > But from reading GSSAPI C bindings v2 RFC 2744 Section 5.19:
> > > 
> > >     Initially, the input_token parameter should be specified either as
> > >     GSS_C_NO_BUFFER, or as a pointer to a gss_buffer_desc object whose
> > >     length field contains the value zero.
> > > 
> > > Mmm, should I just pretend I didn't hear this? What am I supposed to do
> > > with the initial SPNEGO token returned in the SMB_COM_NEGOTIATE response?
> > 
> > I suppose so.  
> Actually I have since realized that maybe you can't feed NegTokenInit to
> gss_init_sec_context. It seems the GSSAPI+SPNEGO rules are:
>     gss_init_sec_context inputs NegTokenTarg and outputs NegTokenInit
>   gss_accept_sec_context inputs NegTokenInit and outputs NegTokenTarg
> but the initiator's first input token to gss_init_sec_context is always
> empty. If this is true, then the SMB_COM_NEGOTIATE response NegTokenInit
> token requires calling gss_ACCEPT_sec_context playing the role of
> acceptor. Then I guess you discard the half baked security context and
> start over as the initiator.

No, I just think the rules are wrong, and that the client or server can
send the first init.  At least that's how I've coded it.

> But that feels kind of odd so maybe SPNEGO just doesn't conform well
> to GSSAPI over SMB and the initial NegTokenInit is meant to be handled
> externally since it's just a list of available mechs.

You need to know the list, so you can make a good start on the
NegTokenInit from the client.

> How do you guys handle this initial token in Samba4?

I just accept and parse it.

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Samba Developer, SuSE Labs, Novell Inc.        http://suse.de
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20051012/92f6382d/attachment.bin

More information about the samba-technical mailing list