Add SPNEGO special case for NTLMSSP+MechListMIC
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
krb5 (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Trusty |
Fix Released
|
Undecided
|
Unassigned | ||
Xenial |
Fix Released
|
Undecided
|
Unassigned | ||
Yakkety |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
[Impact]
MS-SPNG section 3.3.5.1 documents an odd behavior the SPNEGO layer
needs to implement specifically for the NTLMSSP mechanism. This is
required for compatibility with Windows services.
Upstream commit: https:/
We've run into this issue with Linux to Windows negotiation with encrypted http using GSSAPI.
[Test Case]
create a file with some credentials:
$ echo F23:guest:guest > ~/ntlmcreds.txt
$ export NTLM_USER_
$ python
import gssapi
spnego = gssapi.
c = gssapi.
tname = gssapi.
ac = gssapi.
seci = gssapi.
seca = gssapi.
it = seci.step(
ot = seca.step(token=it)
it = seci.step(token=ot)
ot = seca.step(token=it)
it = seci.step(token=ot)
e = seci.wrap(
o = seca.unwrap(
o.message
'Secrets'
This is needed for Ubuntu 14.04, 16.04, and 16.10.