credentials: set GSS_KRB5_CRED_NO_CI_FLAGS_X to avoid GSS_C_CONF_FLAG and GSS_C_INTEG_FLAG

metze
(This used to be commit f573c1ff4443f3002c310d3ba29d8c343ad03907)

1 files changed, 21 insertions, 6 deletions

diff --git a/source4/auth/credentials/credentials_krb5.c b/source4/auth/credentials/credentials_krb5.c
index 3bc1764448..b9207ab601 100644
--- a/source4/auth/credentials/credentials_krb5.c
+++ b/source4/auth/credentials/credentials_krb5.c
@@ -379,19 +379,34 @@ _PUBLIC_ int cli_credentials_get_client_gss_creds(struct cli_credentials *cred,
 	maj_stat = gss_krb5_import_cred(&min_stat, ccache->ccache, NULL, NULL, 
 					&gcc->creds);
 	if (maj_stat) {
+		talloc_free(gcc);
 		if (min_stat) {
 			ret = min_stat;
 		} else {
 			ret = EINVAL;
 		}
+		return ret;
 	}
-	if (ret == 0) {
-		cred->client_gss_creds_obtained = cred->ccache_obtained;
-		talloc_set_destructor(gcc, free_gssapi_creds);
-		cred->client_gss_creds = gcc;
-		*_gcc = gcc;
+
+	/* don't force GSS_C_CONF_FLAG and GSS_C_INTEG_FLAG */
+	maj_stat = gss_set_cred_option(&min_stat, gcc->creds,
+				       GSS_KRB5_CRED_NO_CI_FLAGS_X,
+				       GSS_C_NO_BUFFER);
+	if (maj_stat) {
+		talloc_free(gcc);
+		if (min_stat) {
+			ret = min_stat;
+		} else {
+			ret = EINVAL;
+		}
+		return ret;
 	}
-	return ret;
+
+	cred->client_gss_creds_obtained = cred->ccache_obtained;
+	talloc_set_destructor(gcc, free_gssapi_creds);
+	cred->client_gss_creds = gcc;
+	*_gcc = gcc;
+	return 0;
 }
 
 /**