Possible error in line 511 on krb5/src/lib/gssapi/krb5/init_sec_context.c

[Krishna Ganugapati]

Recently, we've been trying to make ldap_sasl_binds using GSS-SPNEGO
from a Linux machine to Windows Active Directory. For the GSS-SPNEGO we
made use of the new GSS-SPNEGO support in MIT Kerberos Release 1.5

 

While the ldap_sasl_bind using GSSPNEGO worked like a charm, subsequent
ldap search requests would hang. 

 

Our developer(s) reproed the same problem against a Samba 4 domain
controller. The Samba4 domain controller would expect the ldap_search
payloads to always be signed and sealed irrespective of whether we had
requested for confidentiality and/or integrity. In our case, we were
explicitly not requesting for integrity or confidentiality. We were only
interested in mutual authentication and we're okay with our traffic
being in the clear.

 

Our developer(s) traced this  line 511 in  init_sec_context.c which is
as follows

 

Ctx->gss_flags = (GSS_C_INTEG_FLAG | GSS_C_CONF_FLAG | GSS_C_TRANS_FLAG
|

                                    ((req_flags) & (GSS_C_MUTUAL_FLAG |
GSS_C_SeQUENCE_FLAG | GSS_C_DELEG_FLAG)));

 

When we moved the INTEG and CONF flags as part of the internal AND
clause, everything worked flawlessly. Both Active Directory and Samba 4
were happy

 

Ctx->gss_flags = (GSS_C_TRANS_FLAG |

((req_flags) & (GSS_C_MUTUAL_FLAG | GSS_C_SeQUENCE_FLAG |
GSS_C_DELEG_FLAG |GSS_C_INTEG_FLAG | GSS_C_CONF_FLAG )));

 

 

Would someone kindly comment on this? Is what we've done correct?

Krishna Ganugapati

Centeris Corporation