From de5f912e02918a02b5fbfffdbe1edb2e5f602388 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Love=20H=C3=B6rnquist=20=C3=85strand?= <lha@kth.se>
Date: Wed, 15 Jul 2009 22:18:00 +0000
Subject: [PATCH] Contributed by Andrew Bartlett:

When Samba4's 'fake' GSSAPI client contacts Windows 2008, and does not
request AP_MUTUAL_REQUIRED, it does not elicit a response packet.

We had previously assumed it was unconditional.  Samba3 didn't mind
very much, but Samba4's samba3-like client did, and the behaviour
differed to Win2008 behaviour.

git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@25328 ec53bebd-3082-4978-b11e-865c3cabbd6b
---
 lib/gssapi/krb5/accept_sec_context.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/lib/gssapi/krb5/accept_sec_context.c b/lib/gssapi/krb5/accept_sec_context.c
index f1097d649b3..8d998ed0988 100644
--- a/lib/gssapi/krb5/accept_sec_context.c
+++ b/lib/gssapi/krb5/accept_sec_context.c
@@ -517,10 +517,12 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status,
 	    }
 
 	    /*
-	     * Samba style get some flags (but not DCE-STYLE)
+	     * Samba style get some flags (but not DCE-STYLE), use
+	     * ap_options to guess the mutual flag.
 	     */
-	    ctx->flags =
-		GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG;
+ 	    ctx->flags = GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG;
+	    if (ap_options & AP_OPTS_MUTUAL_REQUIRED)
+		ctx->flags |= GSS_C_MUTUAL_FLAG;
         }
     }
 
-- 
2.11.4.GIT