OK, I think I've done my due diligence on testing the GSSAPI support. If anyone cares about an OS I've missed then please test and let me know of any issues. Kerberos authentication to HTTP and SOCKS servers is working on OpenBSD 5.5, NetBSD 6.1.4, FreeBSD 9, and OSX (10.6.8). And also of course on Linux (Fedora 20). Automatic NTLM authentication via Samba's ntlm_auth helper is working under Linux, and it looks like it was *trying* under OSX although Samba/winbind on OSX didn't know my password so it failed as expected. There's no good reason that shouldn't work elsewhere as long as ntlm_auth is working. Negotiate/GSSAPI authentication to an HTTP proxy using NTLM instead of Kerberos is also working, at least under Linux, using GSS-NTLMSSP. Again, there's no good reason it shouldn't work elsewhere as long as GSS-NTLMSSP is installed and working. To enable NTLM in Negotiate auth, I had to manually select the SPNEGO mechanism (commit dbf058ab), which actually *breaks* SOCKS (but not HTTP) auth for OpenBSD 5.2 (but not 5.5) and for Solaris 11. I don't think I care ? AFAICT this is a bug in their Kerberos implementations and Not My Fault?. I could perhaps create an option to avoid SPNEGO but... life's too short. (The details: OpenBSD 5.2 complains of an invalid MIC in the SPNEGO response from the server on successful auth. And Solaris refuses a gss_wrap() call after successfully authenticating, claiming that the operation is unsupported. Although it works without SPNEGO in both cases. And works for HTTP too, since the GSSAPI exchange is simpler there.) -- David Woodhouse Open Source Technology Centre David.Woodhouse at intel.com Intel Corporation -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 5745 bytes Desc: not available URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20140703/a8c7a510/attachment-0001.bin>
