On Mon, Jan 29, 2007 at 08:59:36PM -0800, Howard Chu wrote: > > 1) GSS-SPNEGO search replies are sealed even though the request was > > not and a capture of another client talking to the same server shows > > replies as integ-only. A examination of the captures of my code and > > the other client shows the packets are identical (minus ber encoding > > differences and encrypted krb5 bits). > > That would normally require the confidentiality flag to be set on the > ContextFlags of the NegotiationToken. This is one thing that I've got confused over recently as well. Just from coincidence I did pretty much the same Michael did last weekend and I discovered the same asymmetry. However I was told that a standard GSSAPI exchange always contains the conf and integ bits, at least MIT 1.5.1 does so. If I patch MIT to not set the bits (Samba4 also would let me do it), then I can get Windows to send signed-only replies. Maybe it's a Windows thing not following RFCs, but I wonder how I would tell a Server to send signed-only given that MIT krb always offers confidentiality. Any ideas? Volker
Attachment:
pgpb9TBJx2jLR.pgp
Description: PGP signature