diff options
author | Andreas Schneider <asn@samba.org> | 2015-06-23 17:39:27 +0200 |
---|---|---|
committer | Andreas Schneider <asn@cryptomilk.org> | 2015-06-24 13:37:02 +0200 |
commit | 0438027a476e56bb5664886918a982929c6add87 (patch) | |
tree | 6c5563aeb6742bc8dac1a15c0cef6b14c5102d07 /auth | |
parent | 225d70154620d7029918cb9c549aec15d99c2de7 (diff) | |
download | samba-0438027a476e56bb5664886918a982929c6add87.tar.gz |
auth: Explain why GSS_KRB5_CRED_NO_CI_FLAGS_X is needed
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Jun 24 13:37:02 CEST 2015 on sn-devel-104
Diffstat (limited to 'auth')
-rw-r--r-- | auth/credentials/credentials_krb5.c | 10 |
1 files changed, 9 insertions, 1 deletions
diff --git a/auth/credentials/credentials_krb5.c b/auth/credentials/credentials_krb5.c index d6aaae6cde4..286bede2a80 100644 --- a/auth/credentials/credentials_krb5.c +++ b/auth/credentials/credentials_krb5.c @@ -635,7 +635,15 @@ _PUBLIC_ int cli_credentials_get_client_gss_creds(struct cli_credentials *cred, } #ifdef HAVE_GSS_KRB5_CRED_NO_CI_FLAGS_X - /* don't force GSS_C_CONF_FLAG and GSS_C_INTEG_FLAG */ + /* + * Don't force GSS_C_CONF_FLAG and GSS_C_INTEG_FLAG. + * + * This allows us to disable SIGN and SEAL on a TLS connection with + * GSS-SPNENO. For example ldaps:// connections. + * + * https://groups.yahoo.com/neo/groups/cat-ietf/conversations/topics/575 + * http://krbdev.mit.edu/rt/Ticket/Display.html?id=6938 + */ maj_stat = gss_set_cred_option(&min_stat, &gcc->creds, GSS_KRB5_CRED_NO_CI_FLAGS_X, &empty_buffer); |