Shay Barak
2010-Sep-19 22:51 UTC
[Samba] Suppressing the GSS-API SPNEGO negTokenInit message on Negotiate Protocol Response
Dear SAMBA experts, I'm looking to emulate the behavior of some older Windows servers, mainly old Win2k/XP machines. On newer clients (possibly XP-SP2 and above), the SMB server will send a GSS-API message at the end of the Negotiate Protocol Response packet detailing the supported Security Service Providers by OIDs in a negTokenInit structure. However, older servers did not send this message and usually received a "raw" (i.e. not wrapped in a GSS-API message) NTLMSSP type 1 Negotiate message (or occasionally a Kerberos BLOB) in the following Session Setup AndX Request. This is the kind of behavior that I'm looking to emulate. I tried setting "use spnego = no" in the smb.conf file but it removed Extended Security from the FLAGS2 field and as a result I received an entirely different response from the client (not the raw NTLMSSP BLOB that I was looking for). Is it possible to get the behavior that I want from SAMBA? Thanks.
Volker Lendecke
2010-Sep-20 03:27 UTC
[Samba] Suppressing the GSS-API SPNEGO negTokenInit message on Negotiate Protocol Response
On Mon, Sep 20, 2010 at 12:51:45AM +0200, Shay Barak wrote:> I'm looking to emulate the behavior of some older Windows servers, mainly > old Win2k/XP machines. > On newer clients (possibly XP-SP2 and above), the SMB server will send a > GSS-API message at the end of the Negotiate Protocol Response packet > detailing the supported Security Service Providers by OIDs in a negTokenInit > structure. However, older servers did not send this message and usually > received a "raw" (i.e. not wrapped in a GSS-API message) NTLMSSP type 1 > Negotiate message (or occasionally a Kerberos BLOB) in the following Session > Setup AndX Request. This is the kind of behavior that I'm looking to > emulate. > > I tried setting "use spnego = no" in the smb.conf file but it removed > Extended Security from the FLAGS2 field and as a result I received an > entirely different response from the client (not the raw NTLMSSP BLOB that I > was looking for). > > Is it possible to get the behavior that I want from SAMBA?Right now I don't see it. Can you send a network trace of a server doing that? Volker
Reasonably Related Threads
- Error "Failed to setup SPNEGO negTokenInit request" after Samba update to 2:4.3.8+dfsg-0ubuntu0.14.04.2
- Leopard Macs using Kerberos: Failed to parse negTokenTarg
- How to GSSAPI/Kerberos authenticate with Dovecot [formerly Where is krb5.keytab or equivalent?]
- Apparent Maildir permission issue
- How to GSSAPI/Kerberos authenticate with Dovecot [formerly Where is krb5.keytab or equivalent?]