From 0299edbc02f4185020bae8e66c02d1081d07279f Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Mon, 28 Jul 2008 09:29:42 +0200
Subject: auth/credentials: explain why we need to the enctypes for the gssapi
 layer

metze
(This used to be commit 88970c4d4192635544cf63e79e929e9bb05ecb5f)
---
 source4/auth/credentials/credentials_krb5.c | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

(limited to 'source4/auth/credentials')

diff --git a/source4/auth/credentials/credentials_krb5.c b/source4/auth/credentials/credentials_krb5.c
index c4c58398c3..1a2d5faddd 100644
--- a/source4/auth/credentials/credentials_krb5.c
+++ b/source4/auth/credentials/credentials_krb5.c
@@ -392,7 +392,17 @@ _PUBLIC_ int cli_credentials_get_client_gss_creds(struct cli_credentials *cred,
 		return ret;
 	}
 
-	/* transfer the enctypes from the smb_krb5_context to the gssapi layer */
+	/*
+	 * transfer the enctypes from the smb_krb5_context to the gssapi layer
+	 *
+	 * We use 'our' smb_krb5_context to do the AS-REQ and it is possible
+	 * to configure the enctypes via the krb5.conf.
+	 *
+	 * And the gss_init_sec_context() creates it's own krb5_context and
+	 * the TGS-REQ had all enctypes in it and only the ones configured
+	 * and used for the AS-REQ, so it wasn't possible to disable the usage
+	 * of AES keys.
+	 */
 	min_stat = krb5_get_default_in_tkt_etypes(ccache->smb_krb5_context->krb5_context,
 						  &etypes);
 	if (min_stat == 0) {
-- 
cgit