Hi Markus, > The spnego implementation with fbopenssl was only added to wrap/unwrap a > gssapi token and make it a spnego token to work with MS servers. > This wrapping/unwrapping is now contained in all the standard Kerberos > libraries (Heimdal/MIT). It was not intended for NTLM.
Yes, I tried with Heimdal, and without fbopenssl ,and Negotiate auth did negotiate down to NTLM correctly when kerberos is not configured, and with some hacking curl did the full conversation. The server won't except my credentials but that could be any number of username/domain/password issues, the NTLM data looked ok. I'm not sure I need this now but if I do I'll put together a possible patch. I've seen a few requests, on the web, from people wanting to do NTLM via negotiate auth but I guess it's not common? Thanks, Kevin -----Original Message----- From: Kevin Swift Sent: Tuesday, September 24, 2013 10:20 AM Newsgroups: gmane.comp.web.curl.library To: [email protected] ; [email protected] Subject: Re: PATCH: Curl Sanity patch for spnego authentication Date: Mon, 23 Sep 2013 19:44:18 +0100 From: "Markus Moeller" <[email protected]> To: "libcurl development" <[email protected]> Subject: Re: PATCH: Curl Sanity patch for spnego authentication Message-ID: <00A875024B50435F9CD538537169318A@Ultrabook1> Content-Type: text/plain; charset="iso-8859-1" > I can only repeat the spnego code is for more than 4 years not needed > as the Kerberos libraries can now handle spnego token. Why are you > still using it ? > Can you show me a case where it is needed ? > >Markus Hi, I have been trying to get SPNEGO working with fallback to NTLM (rather than using kerberos). Should this work out of the box? To do this I built curl with fbopenssl and have had to make a few changes to handle the 3-way protocol for NTLM and change the default gss mech to NTLM. Should I have started from a different base? For example using the Heimdal library to handle everything and ignoring the fbopenssl SPNEGO code? BTW it's not yet working so this is an experiment-in-progress. I'm also planning on trying the Heimdal library only today. Apologies if the format of this message is incorrect I've just subscribed and had to reply via the digest. Thanks, Kevin ------------------------------------------------------------------- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html ------------------------------------------------------------------- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html ------------------------------------------------------------------- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html
