On Mon, Jan 29, 2007 at 08:59:36PM -0800, Howard Chu wrote:
- GSS-SPNEGO search replies are sealed even though the request was
not and a capture of another client talking to the same server shows replies as integ-only. A examination of the captures of my code and the other client shows the packets are identical (minus ber encoding differences and encrypted krb5 bits).
That would normally require the confidentiality flag to be set on the ContextFlags of the NegotiationToken.
This is one thing that I've got confused over recently as well. Just from coincidence I did pretty much the same Michael did last weekend and I discovered the same asymmetry. However I was told that a standard GSSAPI exchange always contains the conf and integ bits, at least MIT 1.5.1 does so. If I patch MIT to not set the bits (Samba4 also would let me do it), then I can get Windows to send signed-only replies. Maybe it's a Windows thing not following RFCs, but I wonder how I would tell a Server to send signed-only given that MIT krb always offers confidentiality.
Any ideas?
Volker