git.samba.org / sfrench / samba-autobuild / .git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
auth/credentials: explain why we need to the enctypes for the gssapi layer
[sfrench/samba-autobuild/.git] / source4 / auth / credentials / credentials_krb5.c
diff --git a/source4/auth/credentials/credentials_krb5.c b/source4/auth/credentials/credentials_krb5.c
index c4c58398c3f750386c18da9ff8da176555e6d8ac..1a2d5faddd2f6766062a3850dfc3610901269cf3 100644 (file)
--- a/source4/auth/credentials/credentials_krb5.c
+++ b/source4/auth/credentials/credentials_krb5.c
@@ -392,7 +392,17 @@ _PUBLIC_ int cli_credentials_get_client_gss_creds(struct cli_credentials *cred,
                return ret;
        }
 
-       /* transfer the enctypes from the smb_krb5_context to the gssapi layer */
+       /*
+        * transfer the enctypes from the smb_krb5_context to the gssapi layer
+        *
+        * We use 'our' smb_krb5_context to do the AS-REQ and it is possible
+        * to configure the enctypes via the krb5.conf.
+        *
+        * And the gss_init_sec_context() creates it's own krb5_context and
+        * the TGS-REQ had all enctypes in it and only the ones configured
+        * and used for the AS-REQ, so it wasn't possible to disable the usage
+        * of AES keys.
+        */
        min_stat = krb5_get_default_in_tkt_etypes(ccache->smb_krb5_context->krb5_context,
                                                  &etypes);
        if (min_stat == 0) {
Unnamed repository; edit this file 'description' to name the repository.