On Wed, 28 Aug 2002, Jim McDonough wrote:
OK, this is great. However, it seems that 1 & 2 are GSS-API encapsulated as well, while the rest are not. > > I'll map out what I see happen (and I'm sure this is a correct > interpretation, though there are other possible flows that I haven't seen). > (I) = initiator/client, (T) = target/server. Please note that on each > SPNEGO call, all args are optional, and if I don't list them, they aren't > being sent on the wire. > > First, I'll do the flow if NTLMSSP is negotiated: > 1> (I) Negprot request, with extended security bit on > > 2> (T) Negprot reply, containing SPNEGO-encapsulated > NegTokenInit(mechTypes(MS's badly formed krb5 OID, real krb5 OID, > user-to-user krb5 OID, NTLMSSP OID), mechListMIC(server principal)) > (Notice: no reqFlags or mechToken is sent) > > 3> (I) SesssetupandX req, containing SPNEGO-encapsulated > NegTokenInit(mechTypes(only the NTLMSSP OID), mechToken(NTLMSSP Negotiate > command)) > > 4> (T) Sesssetup resp with ERR_MORE_PROCESSING_REQUIRED, containing > NegTokenTarg(negResult(accept_incomplete), mechType(NTLMSSP OID), response > token(NTLMSSP challenge command), mechListMIC(exact duplication of the > NTLMSSP challenge command)) (note that the GSSAPI-SPNEGO encapsulation is > gone, just the NegTokenTarg goes on the wire) > > 5> (I) SesssetupandX req, containing NegTokenTarg(responseToken(NTLMSSP > auth command containing password hash(es))) > > 6> (T) Sesssetup resp containing NegTokenTarg(negResult(accept_complete)) > > > The flow for client-server kerberos is: > 1> same as above > 2> same as above > > OPTIONAL STEPS> do tgs-req and get tgs-reply from from KDC - these may > already be done. > > 3> (I) SesssetupandX req, containing SPNEGO-encapuslated > NegTokenInit(mechTypes(all 4 OIDS from step 2), mechToken(krb AP_REQ > containing ticket)) > 4> (T) Sesssetup resp, containing NegTokenTarg(negResult(accept_complete), > mechType(bad or good krb5 OID (bad if it's their system)), response > token(krb5 AP_REPLY), mechListMIC(exact duplicate of krb5 AP_REPLY)) > > ---------------------------- > Jim McDonough > IBM Linux Technology Center > Samba Team > 6 Minuteman Drive > Scarborough, ME 04074 > USA > > [EMAIL PROTECTED] > [EMAIL PROTECTED] > > Phone: (207) 885-5565 > IBM tie-line: 776-9984 > > -- Regards ----- Richard Sharpe, [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED]
