[krbdev.mit.edu #2210] GSSAPI accept_sec_context() sets INTEGandCONF flags producing inconsistent state with cleint

[DEEngert@anl.gov via RT]

> Jeffrey Altman wrote:
> 
> The flags are what the client is capable of; not what the client wants.
> If the flags are not set by the client and the server uses the functionality
> anyway you will lose.

You are right. I should have read the RFCs first. 

> 
> Douglas E. Engert wrote:
> 
> >
> > The flags might be what the client appl wants, but the SSPI might be
> > actually doing both because it only has an enctype that does both.
> >
> > So the protection on the packets may be more then the client requested.
> > So should the acceptor appl be told what the user requested, or what is
> > actually being used?
> >
> >
> > Jeffrey Altman via RT wrote:
> >
> >> Microsoft reports that their Kerberos SSPI code is incompatible with MIT
> >> GSSAPI when INTEG or CONF modes are used independent of one another.
> >> 1964 states that the INTEG and CONF flags are to indicate the
> >> availability of the modes in the client.  They are not to be set by the
> >> server.
> >>
> >> MIT's clients always set both flags which is fine, but we must be
> >> prepared to accept security contexts which only set one of them.
> >>
> >> _______________________________________________
> >> krb5-bugs mailing list
> >> krb5-bugs at mit.edu
> >> https://mailman.mit.edu/mailman/listinfo/krb5-bugs
> >>
> >
> >
> 
>              ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> _______________________________________________
> krb5-bugs mailing list
> krb5-bugs at mit.edu
> https://mailman.mit.edu/mailman/listinfo/krb5-bugs

-- 

 Douglas E. Engert  <DEEngert at anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444