Funny security blob in sesssetup&X.
Richard Sharpe
rsharpe at ns.aus.com
Wed Aug 28 08:04:01 GMT 2002
On Wed, 28 Aug 2002, Jim McDonough wrote:
OK, this is great. However, it seems that 1 & 2 are GSS-API encapsulated
as well, while the rest are not.
>
> I'll map out what I see happen (and I'm sure this is a correct
> interpretation, though there are other possible flows that I haven't seen).
> (I) = initiator/client, (T) = target/server. Please note that on each
> SPNEGO call, all args are optional, and if I don't list them, they aren't
> being sent on the wire.
>
> First, I'll do the flow if NTLMSSP is negotiated:
> 1> (I) Negprot request, with extended security bit on
>
> 2> (T) Negprot reply, containing SPNEGO-encapsulated
> NegTokenInit(mechTypes(MS's badly formed krb5 OID, real krb5 OID,
> user-to-user krb5 OID, NTLMSSP OID), mechListMIC(server principal))
> (Notice: no reqFlags or mechToken is sent)
>
> 3> (I) SesssetupandX req, containing SPNEGO-encapsulated
> NegTokenInit(mechTypes(only the NTLMSSP OID), mechToken(NTLMSSP Negotiate
> command))
>
> 4> (T) Sesssetup resp with ERR_MORE_PROCESSING_REQUIRED, containing
> NegTokenTarg(negResult(accept_incomplete), mechType(NTLMSSP OID), response
> token(NTLMSSP challenge command), mechListMIC(exact duplication of the
> NTLMSSP challenge command)) (note that the GSSAPI-SPNEGO encapsulation is
> gone, just the NegTokenTarg goes on the wire)
>
> 5> (I) SesssetupandX req, containing NegTokenTarg(responseToken(NTLMSSP
> auth command containing password hash(es)))
>
> 6> (T) Sesssetup resp containing NegTokenTarg(negResult(accept_complete))
>
>
> The flow for client-server kerberos is:
> 1> same as above
> 2> same as above
>
> OPTIONAL STEPS> do tgs-req and get tgs-reply from from KDC - these may
> already be done.
>
> 3> (I) SesssetupandX req, containing SPNEGO-encapuslated
> NegTokenInit(mechTypes(all 4 OIDS from step 2), mechToken(krb AP_REQ
> containing ticket))
> 4> (T) Sesssetup resp, containing NegTokenTarg(negResult(accept_complete),
> mechType(bad or good krb5 OID (bad if it's their system)), response
> token(krb5 AP_REPLY), mechListMIC(exact duplicate of krb5 AP_REPLY))
>
> ----------------------------
> Jim McDonough
> IBM Linux Technology Center
> Samba Team
> 6 Minuteman Drive
> Scarborough, ME 04074
> USA
>
> jmcd at us.ibm.com
> jmcd at samba.org
>
> Phone: (207) 885-5565
> IBM tie-line: 776-9984
>
>
--
Regards
-----
Richard Sharpe, rsharpe at ns.aus.com, rsharpe at samba.org,
sharpe at ethereal.com
More information about the samba-technical
mailing list