Heimdal SPNEGO Won't Eat Negprot GSSAPI Token

Michael B Allen mba2000 at ioplex.com
Wed Oct 12 07:22:31 GMT 2005

On Wed, 12 Oct 2005 06:47:31 +0200
Love <lha at kth.se> wrote:

> Michael B Allen <mba2000 at ioplex.com> writes:
> > Hey,
> >
> > I'm playing around with Heimdal GSSAPI and noticed gss_init_sec_context
> > will not accept the NegTokenInit SPNEGO token provided in an
> > SMB_COM_NEGOTIATE response. In fact due to some internal shortcuts it
> > won't accept a NegTokenInit at all (presumably because it only supports
> > Kerberos which can be completed in one exchange).
> What version of Heimdal are you looking at. 0.7 and later should support
> (ms) SPNEGO.

I know, I'm using 0.7.1.

The problem is that with an SMB client initiating, the first SPNEGO token
is actually provided by the *server*. It's a NegTokenInit with just a
mechList. There's no mechToken of course because it's coming from the

So what do you do with this token? If you try to pass this to Heimdal's
gss_init_sec_context it doesn't work because in spnego_init_sec_context
if the input_token is not empty it calls spnego_reply which strictly
handles only NegTokenTarg.

But I'm not sure that's wrong. Now I'm thinking maybe this initial
mechList should just be handled externally (A. Bartlett sounds like
this is pretty much what Samba4 does). But that's a bummer because you
have to directly handle a SPNEGO token. So perhaps the proper thing to
do is pass it gss_accept_sec_context just to choose a mech.

Any insight appreciated,

More information about the samba-technical mailing list