gensec: add GENSEC_FEATURE_NO_DELEGATION flag to avoid GSS_C_DELEG[_POLICY]_FLAG

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

auth/gensec/gensec.h

@@ -72,6 +72,7 @@ struct gensec_target {
 #define GENSEC_FEATURE_SMB_TRANSPORT	0x00001000
 #define GENSEC_FEATURE_LDAPS_TRANSPORT	0x00002000
 #define GENSEC_FEATURE_CB_OPTIONAL	0x00004000
+#define GENSEC_FEATURE_NO_DELEGATION	0x00008000
 
 #define GENSEC_EXPIRE_TIME_INFINITY (NTTIME)0x8000000000000000LL
 

source3/librpc/crypto/gse.c

@@ -196,7 +196,6 @@ static NTSTATUS gse_context_init(struct gensec_security *gensec_security,
 	memcpy(&gse_ctx->gss_mech, mech, sizeof(gss_OID_desc));
 
 	gse_ctx->gss_want_flags = GSS_C_MUTUAL_FLAG |
-				GSS_C_DELEG_POLICY_FLAG |
 				GSS_C_REPLAY_FLAG |
 				GSS_C_SEQUENCE_FLAG;
 	if (do_sign) {
@@ -1137,6 +1136,10 @@ static NTSTATUS gensec_gse_client_start(struct gensec_security *gensec_security)
 		want_flags |= GSS_C_DCE_STYLE;
 	}
 
+	if (!(gensec_security->want_features & GENSEC_FEATURE_NO_DELEGATION)) {
+		want_flags |= GSS_C_DELEG_POLICY_FLAG;
+	}
+
 #ifdef HAVE_CLIENT_GSS_C_CHANNEL_BOUND_FLAG
 	/*
 	 * We can only use GSS_C_CHANNEL_BOUND_FLAG if the kerberos library

source4/auth/gensec/gensec_gssapi.c

@@ -200,6 +200,10 @@ static NTSTATUS gensec_gssapi_start(struct gensec_security *gensec_security)
 	if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "sequence", true)) {
 		gensec_gssapi_state->gss_want_flags |= GSS_C_SEQUENCE_FLAG;
 	}
+	if (!(gensec_security->want_features & GENSEC_FEATURE_NO_DELEGATION)) {
+		gensec_gssapi_state->gss_want_flags &= ~GSS_C_DELEG_FLAG;
+		gensec_gssapi_state->gss_want_flags &= ~GSS_C_DELEG_POLICY_FLAG;
+	}
 
 	if (gensec_security->want_features & GENSEC_FEATURE_SESSION_KEY) {
 		gensec_gssapi_state->gss_want_flags |= GSS_C_INTEG_FLAG;