[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: GSS-SPNEGO Protocol Details

On Mon, Jan 29, 2007 at 08:59:36PM -0800, Howard Chu wrote:
> >  1) GSS-SPNEGO search replies are sealed even though the request was
> >  not and a capture of another client talking to the same server shows
> >  replies as integ-only. A examination of the captures of my code and
> >  the other client shows the packets are identical (minus ber encoding
> >  differences and encrypted krb5 bits).
> That would normally require the confidentiality flag to be set on the 
> ContextFlags of the NegotiationToken.

This is one thing that I've got confused over recently as
well. Just from coincidence I did pretty much the same
Michael did last weekend and I discovered the same
asymmetry. However I was told that a standard GSSAPI
exchange always contains the conf and integ bits, at least
MIT 1.5.1 does so. If I patch MIT to not set the bits
(Samba4 also would let me do it), then I can get Windows to
send signed-only replies. Maybe it's a Windows thing not
following RFCs, but I wonder how I would tell a Server to
send signed-only given that MIT krb always offers

Any ideas?


Attachment: pgpb9TBJx2jLR.pgp
Description: PGP signature