On 10/27/24 8:08 PM, Michael Saxl via samba wrote:> does anybody know what the ntlmssp flag NTLMSSP_NEGOTIATE_IDENTIFY is used
for?
> I looked in the samba sources and only found it in .idl but there as far as
I
> can tell there is no implementation of that. I searched for some
information
> on the web but did not really find something useful.
>
> Before anyone asks: Microsoft's HTML5 RDP Webclient uses that flag and
insists
> that the server supports that, else it disconnects with a security error
> saying that a required ntlm feature is missing.
cf MS-NLMP
<https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-nlmp/b38c36ed-2804-4868-a9ff-8dd3182128e4>
"Identify: A Boolean setting that indicates that the caller wants the
server to know the identity of the caller, but that the server not be
allowed to impersonate the caller to resources on that system.
Setting this flag results in the NTLMSSP_NEGOTIATE_IDENTIFY flag being
set. Indicates that the GSS_C_IDENTIFY_FLAG flag was set in the
GSS_Init_sec_context call, as discussed in [RFC4757] section 7.1, and
results in the GSS_C_IDENTIFY_FLAG flag set in the authenticator's
checksum field ([RFC4757] section 7.1)."
Not really my turf, you may have more look asking over at samba-technical.
-slow
--
SerNet Samba Team Lead https://sernet.de/
Samba Team Member https://samba.org/
SAMBA+ packages https://samba.plus/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.samba.org/pipermail/samba/attachments/20241028/166cbe92/OpenPGP_signature.sig>