auth: Explain why GSS_KRB5_CRED_NO_CI_FLAGS_X is needed

author Andreas Schneider <asn@samba.org>

Tue, 23 Jun 2015 15:39:27 +0000 (17:39 +0200)

committer Andreas Schneider <asn@cryptomilk.org>

Wed, 24 Jun 2015 11:37:02 +0000 (13:37 +0200)
author Andreas Schneider <asn@samba.org>
Tue, 23 Jun 2015 15:39:27 +0000 (17:39 +0200)
committer Andreas Schneider <asn@cryptomilk.org>
Wed, 24 Jun 2015 11:37:02 +0000 (13:37 +0200)
diff --git a/auth/credentials/credentials_krb5.c b/auth/credentials/credentials_krb5.c

index d6aaae6cde47952cc1cc3c882dd13f43595463b7..286bede2a8006e9b055dd362c4a7947882adb7b4 100644 (file)
--- a/auth/credentials/credentials_krb5.c
+++ b/auth/credentials/credentials_krb5.c
@@ -635,7 +635,15 @@ _PUBLIC_ int cli_credentials_get_client_gss_creds(struct cli_credentials *cred,
         }
  
  #ifdef HAVE_GSS_KRB5_CRED_NO_CI_FLAGS_X
-       /* don't force GSS_C_CONF_FLAG and GSS_C_INTEG_FLAG */
+       /*
+        * Don't force GSS_C_CONF_FLAG and GSS_C_INTEG_FLAG.
+        *
+        * This allows us to disable SIGN and SEAL on a TLS connection with
+        * GSS-SPNENO. For example ldaps:// connections.
+        *
+        * https://groups.yahoo.com/neo/groups/cat-ietf/conversations/topics/575
+        * http://krbdev.mit.edu/rt/Ticket/Display.html?id=6938
+        */
         maj_stat = gss_set_cred_option(&min_stat, &gcc->creds,
                                        GSS_KRB5_CRED_NO_CI_FLAGS_X,
                                        &empty_buffer);
author	Andreas Schneider <asn@samba.org>
	Tue, 23 Jun 2015 15:39:27 +0000 (17:39 +0200)
committer	Andreas Schneider <asn@cryptomilk.org>
	Wed, 24 Jun 2015 11:37:02 +0000 (13:37 +0200)