Re: [PATCH 0/3] MR8020: libs/ldap: Make GSS-SPNEGO SASL plugin work with LDAP server that uses Kerberos authentication.

15 May 2025


      On Thu May 15 08:44:46 2025 +0000, Hans Leidekker wrote:
...
This seems relevant for example:
#ifdef HAVE_GSS_KRB5_CRED_NO_CI_FLAGS_X
        /* The krb5 mechanism automatically adds INTEG and CONF flags
even when
         * not specified, this has the effect of rendering explicit requests
         * of no confidentiality and integrity via setting maxssf 0 moot.
         * However to interoperate with Windows machines it needs to be
         * possible to unset these flags as Windows machines refuse to allow
         * two layers (say TLS and GSSAPI) to both provide these services.
         * So if we do not suppress these flags a SASL/GSS-SPNEGO negotiation
         * over, say, LDAPS will fail against Windows Servers */

We should probably do the same in kerberos.dll.
What exactly do you propose to do in kerberos.dll? How would it help with output buffer format in sasl_encode/sasl_decode where they are supposed to treat encrypted buffer as data+token? Or flags passed to gss_init_sec_context() where gss plugin explicitly uses GSS_C_MUTUAL_FLAG | GSS_C_SEQUENCE_FLAG | GSS_C_CONF_FLAG | GSS_C_INTEG_FLAG?
-- 
https://gitlab.winehq.org/wine/wine/-/merge_requests/8020#note_103480

2025

2024

2023

2022

Re: [PATCH 0/3] MR8020: libs/ldap: Make GSS-SPNEGO SASL plugin work with LDAP server that uses Kerberos authentication.