On Wed May 14 07:10:59 2025 +0000, Dmitry Timoshkov wrote:
I did some experiments and ISC_REQ_MUTUAL_AUTH is the key flag that makes LDAP over Kerberos work for my configuration, without it authentication instead of 2 uses 1 step, and apparently this makes the security context unusable. I don't insist that the server attributes check should be fatal, emitting a warning would suffice I guess. Hans, does adding only ISC_REQ_MUTUAL_AUTH work for your use case with NTLM?
Retrieving SSPI flags before binding returns ISC_REQ_EXTENDED_ERROR | ISC_REQ_MUTUAL_AUTH, so that seems to be the default. Retrieving the flags after successful Negotiate bind (which picks NTLM) I get ISC_REQ_INTEGRITY | ISC_REQ_EXTENDED_ERROR | ISC_REQ_REPLAY_DETECT | ISC_REQ_SEQUENCE_DETECT.
I think we should use the same default and avoid any checks on returned flags.