ntlmssp errors against El Capitan's SMB Server

Jeremy Allison jra at samba.org
Tue Aug 30 20:13:57 UTC 2016

On Tue, Aug 30, 2016 at 03:54:33PM -0400, Simo wrote:
> This is not how spnego is supposed to work, once a mechListMIC is
> returned by one of the parties and it checks out then you do not add
> another one on the way back.
> Whether the client or the server send a mechListMIC depends on the
> mechanism selected and how many round trips it implies.
> Going by memory but IIRC:
> If kerberos is used usually it's the server that send the mechlistMIC
> as the last leg is done at the server. In case of NTLM the client needs
> to send back one more token so it is the client that generates the
> mechlistMIC.
> I may be wrong on some minor detail or the directions :-)


does imply that mechListMIC's are exchanged.


5.  Processing of mechListMIC

makes my brain hurt :-). Especially:

"Acceptors that wish to be
      compatible with legacy Windows SPNEGO implementations, as
      described in Appendix C, should not generate a mechlistMIC token
      when the MIC token exchange is not required."

More information about the samba-technical mailing list