Heimdal SPNEGO Won't Eat Negprot GSSAPI Token

Love lha at kth.se
Wed Oct 12 11:40:09 GMT 2005

Michael B Allen <mba2000 at ioplex.com> writes:

> The problem is that with an SMB client initiating, the first SPNEGO token
> is actually provided by the *server*. It's a NegTokenInit with just a
> mechList. There's no mechToken of course because it's coming from the
> server.
> So what do you do with this token? If you try to pass this to Heimdal's
> gss_init_sec_context it doesn't work because in spnego_init_sec_context
> if the input_token is not empty it calls spnego_reply which strictly
> handles only NegTokenTarg.
> But I'm not sure that's wrong. Now I'm thinking maybe this initial
> mechList should just be handled externally (A. Bartlett sounds like
> this is pretty much what Samba4 does). But that's a bummer because you
> have to directly handle a SPNEGO token. So perhaps the proper thing to
> do is pass it gss_accept_sec_context just to choose a mech.

That kind of weird, its no longer SPNEGO but rather something else.

Given a GSS_C_NO_CONTEXT context and a input token in init_sec_context the
input token could be ignored (or use the mech-list, but its unsigned I'm
not sure it should be used).


-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 477 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20051012/a65863e5/attachment.bin

More information about the samba-technical mailing list