ntlmssp errors against El Capitan's SMB Server
jra at samba.org
Tue Aug 30 20:13:57 UTC 2016
On Tue, Aug 30, 2016 at 03:54:33PM -0400, Simo wrote:
> This is not how spnego is supposed to work, once a mechListMIC is
> returned by one of the parties and it checks out then you do not add
> another one on the way back.
> Whether the client or the server send a mechListMIC depends on the
> mechanism selected and how many round trips it implies.
> Going by memory but IIRC:
> If kerberos is used usually it's the server that send the mechlistMIC
> as the last leg is done at the server. In case of NTLM the client needs
> to send back one more token so it is the client that generates the
> I may be wrong on some minor detail or the directions :-)
does imply that mechListMIC's are exchanged.
5. Processing of mechListMIC
makes my brain hurt :-). Especially:
"Acceptors that wish to be
compatible with legacy Windows SPNEGO implementations, as
described in Appendix C, should not generate a mechlistMIC token
when the MIC token exchange is not required."
More information about the samba-technical