auth: Explain why GSS_KRB5_CRED_NO_CI_FLAGS_X is needed

Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Wed Jun 24 13:37:02 CEST 2015 on sn-devel-104
author: Andreas Schneider <asn@samba.org> 2015-06-23 17:39:27 +0200
committer: Andreas Schneider <asn@cryptomilk.org> 2015-06-24 13:37:02 +0200
commit: 0438027a476e56bb5664886918a982929c6add87 (patch)
tree: 6c5563aeb6742bc8dac1a15c0cef6b14c5102d07 /auth
parent: 225d70154620d7029918cb9c549aec15d99c2de7 (diff)
download: samba-0438027a476e56bb5664886918a982929c6add87.tar.gz
1 files changed, 9 insertions, 1 deletions
diff --git a/auth/credentials/credentials_krb5.c b/auth/credentials/credentials_krb5.c
index d6aaae6cde4..286bede2a80 100644
--- a/auth/credentials/credentials_krb5.c
+++ b/auth/credentials/credentials_krb5.c
@@ -635,7 +635,15 @@ _PUBLIC_ int cli_credentials_get_client_gss_creds(struct cli_credentials *cred,
 	}
 
 #ifdef HAVE_GSS_KRB5_CRED_NO_CI_FLAGS_X
-	/* don't force GSS_C_CONF_FLAG and GSS_C_INTEG_FLAG */
+	/*
+	 * Don't force GSS_C_CONF_FLAG and GSS_C_INTEG_FLAG.
+	 *
+	 * This allows us to disable SIGN and SEAL on a TLS connection with
+	 * GSS-SPNENO. For example ldaps:// connections.
+	 *
+	 * https://groups.yahoo.com/neo/groups/cat-ietf/conversations/topics/575
+	 * http://krbdev.mit.edu/rt/Ticket/Display.html?id=6938
+	 */
 	maj_stat = gss_set_cred_option(&min_stat, &gcc->creds,
 				       GSS_KRB5_CRED_NO_CI_FLAGS_X,
 				       &empty_buffer);
author	Andreas Schneider <asn@samba.org>	2015-06-23 17:39:27 +0200
committer	Andreas Schneider <asn@cryptomilk.org>	2015-06-24 13:37:02 +0200
commit	0438027a476e56bb5664886918a982929c6add87 (patch)
tree	6c5563aeb6742bc8dac1a15c0cef6b14c5102d07 /auth
parent	225d70154620d7029918cb9c549aec15d99c2de7 (diff)
download	samba-0438027a476e56bb5664886918a982929c6add87.tar.gz