Issues bringing 'new SPENGO' to MIT Kerberos 1.8 builds

Andrew Bartlett abartlet at
Tue Feb 14 14:27:54 MST 2012

On Tue, 2012-02-14 at 11:56 -0500, simo wrote:
> On Tue, 2012-02-14 at 15:50 +1100, Andrew Bartlett wrote: 
> > On Tue, 2012-02-14 at 13:42 +1100, Luke Howard wrote:
> > > What do you need gss_krb5_export_lucid_sec_context for? Can you use GSS_C_INQ_SSPI_SESSION_KEY?
> > 
> > We used it to determine if CFX was used, and therefore that the new
> > (returning the mechListMic) SPENGO should be used, as we implement
> > SPNEGO outside GSSAPI.
> I meant to ask for a while, why don't we drop our own SPENGO and simply
> use the one in GSSAPI ? Are there deficiencies in it ?

I've wondered the same thing, but sadly there are some good reasons not

We would have to have a good way to push NTLMSSP and any other mech we
wished to introduce into GSSAPI's SPNEGO.  Then, once we get those in,
we would also need a good way to get out the PAC-equivalent and session
keys etc, and set up the auth context that the authentication would be

It would also be much harder to introduce server-side async processing
of NTLMSSP, as the GSS APIs are not async.

Andrew Bartlett

Andrew Bartlett                      
Authentication Developer, Samba Team 

More information about the samba-technical mailing list