Hi Joe,
I had wondered whether this would show up. The problem is really that the Negotiate/NTLM auth scheme is completely broken.
Yep, I've heard that before. Problem is: it's the only choice for me...
I tracked the problem down to this: 1. neon doesnot clear its sspi context / token if a connection is closed. Therefore the old token is used on the new connection, and the server does not accept that.
This can be fixed by adding a new hook, I suppose.
That's just what I did in my (too ugly to post) hack.
2. neon should not close the connection if it is in the sspi/auth negotiation for the non-idempotent messages (line 1216 in ne_request.c). The NTLM authentication is a multi-leg authentication, meaning we need at least 2 requests to do authentication. neon closes the connection after the first request, resulting in problem 1..
For SSPI the flag could just be cleared, it loses some reliability but that's going to be tough luck - can you try this patch?
I've tried it, and it fails. (even tried to put it in the ah_create hook...) The connection is closed before the pre_send hook is called. I don't think you can fix it with the current hooks and flags. The idempotent flag is set (and checked against) between the creation of the request and the pre_send hooks) See for example the ne_lock flow. In my very ugly hack I introduced a connection_closed hook and a new "please do not disconnect, I'm in auth negotiation"-flag. If that is what it takes I can send the diff to you for review. Hope to help, Robert _______________________________________________ neon mailing list [email protected] http://mailman.webdav.org/mailman/listinfo/neon
