Current semantics for channel-bindings in GSSAPI

Isaac Boukris iboukris at
Tue Mar 10 09:53:18 EDT 2020

As discussed last week, we want the following changes.

- MIT should match Heimdal behavior and only error if client bindings
are not all zeros.
- Both Heimdal/MIT should return channel-bound flag if the bindings did match.
- Both Heimdal/MIT should take advantage of KERB_AP_OPTIONS_CBT if
present if authenticator, in which case if the server passed bindings
they must match.
- Both Heimdal/MIT should provide a conf option to asset the client
system supports channel-bindings, causing KERB_AP_OPTIONS_CBT to be
sent in any ap-req.

I submitted wip PR #1047 upstream MIT based on the above.

@metze, would that satisfy samba's requirements?

More information about the krbdev mailing list