#define GENSEC_FEATURE_SMB_TRANSPORT 0x00001000
#define GENSEC_FEATURE_LDAPS_TRANSPORT 0x00002000
#define GENSEC_FEATURE_CB_OPTIONAL 0x00004000
+#define GENSEC_FEATURE_NO_DELEGATION 0x00008000
#define GENSEC_EXPIRE_TIME_INFINITY (NTTIME)0x8000000000000000LL
memcpy(&gse_ctx->gss_mech, mech, sizeof(gss_OID_desc));
gse_ctx->gss_want_flags = GSS_C_MUTUAL_FLAG |
- GSS_C_DELEG_POLICY_FLAG |
GSS_C_REPLAY_FLAG |
GSS_C_SEQUENCE_FLAG;
if (do_sign) {
want_flags |= GSS_C_DCE_STYLE;
}
+ if (!(gensec_security->want_features & GENSEC_FEATURE_NO_DELEGATION)) {
+ want_flags |= GSS_C_DELEG_POLICY_FLAG;
+ }
+
#ifdef HAVE_CLIENT_GSS_C_CHANNEL_BOUND_FLAG
/*
* We can only use GSS_C_CHANNEL_BOUND_FLAG if the kerberos library
if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "sequence", true)) {
gensec_gssapi_state->gss_want_flags |= GSS_C_SEQUENCE_FLAG;
}
+ if (!(gensec_security->want_features & GENSEC_FEATURE_NO_DELEGATION)) {
+ gensec_gssapi_state->gss_want_flags &= ~GSS_C_DELEG_FLAG;
+ gensec_gssapi_state->gss_want_flags &= ~GSS_C_DELEG_POLICY_FLAG;
+ }
if (gensec_security->want_features & GENSEC_FEATURE_SESSION_KEY) {
gensec_gssapi_state->gss_want_flags |= GSS_C_INTEG_FLAG;
projects / thirdparty / samba.git / commitdiff
