Heimdal SPNEGO Won't Eat Negprot GSSAPI Token

Luke Howard lukeh at padl.com
Wed Oct 12 07:12:40 GMT 2005

Server-initiated SPNEGO is an MS-ism. The only version of Heimdal that
supports it is in the mechglue branch AFAIK.

-- Luke

>From: Michael B Allen <mba2000 at ioplex.com>
>Subject: Heimdal SPNEGO Won't Eat Negprot GSSAPI Token
>To: samba-technical at lists.samba.org
>Date: Tue, 11 Oct 2005 20:55:43 -0400
>I'm playing around with Heimdal GSSAPI and noticed gss_init_sec_context
>will not accept the NegTokenInit SPNEGO token provided in an
>SMB_COM_NEGOTIATE response. In fact due to some internal shortcuts it
>won't accept a NegTokenInit at all (presumably because it only supports
>Kerberos which can be completed in one exchange).
>So I thought I might work on some patches so that it eats this initial
>token and either returns an error because Kerberos 5 isn't advertised
>or GSS_S_CONTINUE_NEEDED. Also, I'm at least thinking about NTLMSSP.
>But from reading GSSAPI C bindings v2 RFC 2744 Section 5.19:
>    Initially, the input_token parameter should be specified either as
>    GSS_C_NO_BUFFER, or as a pointer to a gss_buffer_desc object whose
>    length field contains the value zero.
>Mmm, should I just pretend I didn't hear this? What am I supposed to do
>with the initial SPNEGO token returned in the SMB_COM_NEGOTIATE response?


More information about the samba-technical mailing list