On Mon, Jan 29, 2007 at 08:59:36PM -0800, Howard Chu wrote:
1) GSS-SPNEGO search replies are sealed even though the request was
not and a capture of another client talking to the same server shows
replies as integ-only. A examination of the captures of my code and
the other client shows the packets are identical (minus ber encoding
differences and encrypted krb5 bits).
That would normally require the confidentiality flag to be set on the
ContextFlags of the NegotiationToken.
This is one thing that I've got confused over recently as
well. Just from coincidence I did pretty much the same
Michael did last weekend and I discovered the same
asymmetry. However I was told that a standard GSSAPI
exchange always contains the conf and integ bits, at least
MIT 1.5.1 does so. If I patch MIT to not set the bits
(Samba4 also would let me do it), then I can get Windows to
send signed-only replies. Maybe it's a Windows thing not
following RFCs, but I wonder how I would tell a Server to
send signed-only given that MIT krb always offers
confidentiality.