ntlm_auth question

Mohan Narayanaswamy mohann at silver-peak.com
Thu Aug 20 17:35:10 MDT 2009

Henrik & Kai,

Thanks for your help. 

I am trying to catch-up with Samba's nmtl_auth code for detailed
I will get back to you once I attempt an implementation.


-----Original Message-----
From: Henrik Nordstrom [mailto:henrik at henriknordstrom.net] 
Sent: Wednesday, August 19, 2009 4:25 AM
To: Mohan Narayanaswamy
Cc: samba-technical at lists.samba.org
Subject: Re: ntlm_auth question

ons 2009-08-12 klockan 00:24 -0700 skrev Mohan Narayanaswamy:

> Is this still undocumented ? Are there better documentations for this
> gss-spnego helper protocol ? 

The spnego protocol used by Squid is as follows, should be the same as
Samba but not 100% sure..

Initial requests to ntlm_auth:

YR base64blob

Additional requests in the same auth session uses

KK base64blob

No "done/aborted" request message is used, instead it's assumed the
authentication state is implicitly reset by ntlm_auth on the next YR

Responses expected from the helper:

Intermediary negotiate/challenge response which needs to be sent to the
requesting client

TT base64blob [any extra info is discarded]

Authentication successful

AF base64blob username

Authentication unsuccessful.  The reason message is optional and
continues to the end of the line if given

NA base64blob reasonmessage

Error conditions where authentication can not continue

BH errormessage

The base64blobs are Microsoft SPNEGO packets in base64 encoding.


More information about the samba-technical mailing list