ntlm_auth --helper-protocol=gss-spnego
Andrew Bartlett
abartlet at samba.org
Mon Apr 26 22:45:07 GMT 2004
On Tue, 2004-04-27 at 01:37, Henrik Nordstrom wrote:
> On Mon, 26 Apr 2004, Andrew Bartlett wrote:
>
> > The order is changed - SPENGO is a server-speaks-first protocol, so the
> > first YR gets things moving.
>
> Confused.. according to the MS docs I can find Negotiate over HTTP is a
> client-speaks-first protocol just like NTLM over HTTP..
>
> [skipping the dummy step establishing that the Negotiate mechanism is at
> all available]
>
> # Client calls InitializeSecurityContext() and generates a NegTokenInit,
> does a base64 encoding of it, and resends the Get with the following
> header: "Authorization: Negotiate <base64 encoding>" (e.g. Authorization:
> Negotiate YIIGUQY<remainder of base64 encoded string>).
>
> * Server decodes the NegTokenInit, extracts the supported MechTypes (the
> one at the front of the MechTypeList should be either Kerberos Legacy or
> Kerberos V5), ensures it is one of the expected ones, and then extracts
> the MechToken and authenticates using gss_accept_security_context.
>
> * If gss_accept_security_context returns GSS_S_CONTINUE_NEEDED, the Web
> server should return HTTP 401 (Unauthorized) status, and the response
> token as "WWW-Authenticate: Negotiate <base64 encoding>" (e.g.
> WWW-Authenticate: Negotiate oYIBLj<remainder of base64 encoded string>).
>
>
> How does this map to ntlm_auth gss-spnego if ntlm_auth is
> "server-speaks-first"?
I think we need to modify ntlm_auth to understand that if the YR
contains client data (the NegTokenInit) that it is the first step in the
actual authentication, not just a request for mechanisms.
Like the NTLMSSP sever-side now does - YR and KK should be treated the
same, except that YR resets the server-side state machine.
> Still a little confused on how GSS-SPNEGO, Negotiate SSP, Kerberos SSP and
> NTLM SSP goes together, but most I could find indicates GSS-SPNEGO is the
> protocol implemented by the Negotiate SSP, running ontop of the NTLM
> and Kerberos SSP, but then at the same time most of the same documents
> seem to be very Kerberos specific..
That sounds correct. Jeremy's 'security soup' presentation at
linux.conf.au and SambaXP makes good fun with this area ;-)
Andrew Bartlett
--
Andrew Bartlett abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team abartlet at samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20040427/a328cf3f/attachment.bin
More information about the samba-technical
mailing list