Revert the MSVAVFLAGS_UNVERIFIED_SPN flag default

simo5 · simo5 · commit cb30fe2d66c1 · 2022-03-15T18:14:18.000-04:00
By default SSPI does not set this flag, and setting it causes servers
with restrictive policy to fail authentication. Given no MS client sets
this flag by default, neither should we until there is a clear need.
We trust our calling applications to do the right thing here in any
case just like SSPI trusts their own calling applications.

Signed-off-by: Simo Sorce &lt;simo@redhat.com&gt;
diff --git a/src/gss_sec_ctx.c b/src/gss_sec_ctx.c
@@ -730,7 +730,15 @@ uint32_t gssntlm_accept_sec_context(uint32_t *minor_status,
             goto done;
         }
 
-        av_flags = MSVAVFLAGS_UNVERIFIED_SPN;
+        /* TODO: allow client applications to set a context option to
+         * provide an av_flags default value so that flags like
+         * MSVAVFLAGS_UNVERIFIED_SPN can be set. By default SSPI does
+         * not set this flag, and setting it causes servers with restrictive
+         * policy to fail authentication. Given no MS client set this flag
+         * by default, neither should we until there is a clear need. We
+         * trust our calling applications to do the right thing here.
+         * av_flags = MSVAVFLAGS_UNVERIFIED_SPN;
+         */
 
         timestamp = ntlm_timestamp_now();
 
