Following Steve's Question - Re Tokens in SPNEGO

William Brown wbrown at
Sat May 30 09:33:07 UTC 2020

> On 29 May 2020, at 20:40, Alexander Bokovoy via samba-technical <samba-technical at> wrote:
> Hi William,
> On pe, 29 touko 2020, William Brown via samba-technical wrote:
>> Hi there,
>> Thinking to Steve's question yesterday, it would be interesting to
>> know from the experts on this mailing list an answer. How what would
>> opaque token authentication look like in Samba? How would a passdb
>> support this style of authentication? How would a client get the token
>> to pass through?
>> It would be great to know more about this and explore some of these thoughts. 
> My current thinking is around reusing existing infrastructure in the
> protocol. SMB3 authenticates with SPNEGO[1]. SPNEGO allows to have multiple
> authentication mechanisms advertised, with most common ones being krb5
> and NTLM. These are not the only ones, a common extension mechanism
> called NEGOEX can be used as well[2].
> NEGOEX is basically a way to tunnel some method of authentication known
> to both client and server through SPNEGO. It doesn't need need to
> require a third party (like KDC) to broker an authenticity of the
> parties. MIT Kerberos supports NEGOEX since version 1.18, there are also
> patches for Heimdal.

How would the currest tdb passdb or ldapsam work with this? A hook where the content of the negoex is sent to that module?

IE think bearer tokens from oauth being passed in that can be validate, or a saml assertion where you can check as the passdb has a registered handler.

It would be interesting to know how a windows server + windows desktop, both joined to azure AD conduct their authentication in this case, since there should be no ntlm or krb involved ....  


>  gss_inquire_name(..., &attrs);
>  find an attribute with the right name
>  gss_get_name_attribute(..., name, attribute, ..., &value, ...);
>  extract NT security token or something that can be used to construct
>  it from the value with the right name
> [1]
> [2]
> -- 
> / Alexander Bokovoy


William Brown

Senior Software Engineer, 389 Directory Server

More information about the samba-technical mailing list