[Samba] Suppressing the GSS-API SPNEGO negTokenInit message on Negotiate Protocol Response

Volker Lendecke Volker.Lendecke at SerNet.DE
Sun Sep 19 21:27:05 MDT 2010

On Mon, Sep 20, 2010 at 12:51:45AM +0200, Shay Barak wrote:
> I'm looking to emulate the behavior of some older Windows servers, mainly
> old Win2k/XP machines.
> On newer clients (possibly XP-SP2 and above), the SMB server will send a
> GSS-API message at the end of the Negotiate Protocol Response packet
> detailing the supported Security Service Providers by OIDs in a negTokenInit
> structure. However, older servers did not send this message and usually
> received a "raw" (i.e. not wrapped in a GSS-API message) NTLMSSP type 1
> Negotiate message (or occasionally a Kerberos BLOB) in the following Session
> Setup AndX Request. This is the kind of behavior that I'm looking to
> emulate.
> I tried setting "use spnego = no" in the smb.conf file but it removed
> Extended Security from the FLAGS2 field and as a result I received an
> entirely different response from the client (not the raw NTLMSSP BLOB that I
> was looking for).
> Is it possible to get the behavior that I want from SAMBA?

Right now I don't see it. Can you send a network trace of
a server doing that?


More information about the samba mailing list