Heimdal SPNEGO Won't Eat Negprot GSSAPI Token
Andrew Bartlett
abartlet at samba.org
Wed Oct 12 11:44:11 GMT 2005
On Wed, 2005-10-12 at 13:40 +0200, Love wrote:
> Michael B Allen <mba2000 at ioplex.com> writes:
>
> > The problem is that with an SMB client initiating, the first SPNEGO token
> > is actually provided by the *server*. It's a NegTokenInit with just a
> > mechList. There's no mechToken of course because it's coming from the
> > server.
> >
> > So what do you do with this token? If you try to pass this to Heimdal's
> > gss_init_sec_context it doesn't work because in spnego_init_sec_context
> > if the input_token is not empty it calls spnego_reply which strictly
> > handles only NegTokenTarg.
> >
> > But I'm not sure that's wrong. Now I'm thinking maybe this initial
> > mechList should just be handled externally (A. Bartlett sounds like
> > this is pretty much what Samba4 does). But that's a bummer because you
> > have to directly handle a SPNEGO token. So perhaps the proper thing to
> > do is pass it gss_accept_sec_context just to choose a mech.
>
> That kind of weird, its no longer SPNEGO but rather something else.
>
> Given a GSS_C_NO_CONTEXT context and a input token in init_sec_context the
> input token could be ignored (or use the mech-list, but its unsigned I'm
> not sure it should be used).
I would love to implement the new, secure SPNEGO, but the draft I read
just made my head spin with SOMIC rules...
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Samba Developer, SuSE Labs, Novell Inc. http://suse.de
Authentication Developer, Samba Team http://samba.org
Student Network Administrator, Hawker College http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20051012/484ce7d2/attachment.bin
More information about the samba-technical
mailing list