CVE-2016-2125: s4:gensec_gssapi: don't use GSS_C_DELEG_FLAG by default

This disabled the usage of GSS_C_DELEG_FLAG by default, as
GSS_C_DELEG_POLICY_FLAG is still used by default we let the
KDC decide if we should send delegated credentials to a remote server.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12445

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Simo Sorce <idra@samba.org>

diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
index 18bb01146b97385a181b33548cad7db451de57e1..a37a0a91e444052a2e30c1df17fa0f955cdb5cab 100644 (file)
--- a/source4/auth/gensec/gensec_gssapi.c
+++ b/source4/auth/gensec/gensec_gssapi.c
@@ -115,7 +115,7 @@ static NTSTATUS gensec_gssapi_start(struct gensec_security *gensec_security)
        if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "mutual", true)) {
                gensec_gssapi_state->gss_want_flags |= GSS_C_MUTUAL_FLAG;
        }
-       if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "delegation", true)) {
+       if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "delegation", false)) {
                gensec_gssapi_state->gss_want_flags |= GSS_C_DELEG_FLAG;
        }
        if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "replay", true)) {