Simo Sorce

Ok, so the second one is kind of expected, given gss-proxy cannot get you creds for admin and the original creds are expired. But the creds.lifetime is not adjusted ......

See how we did it in mod_auth_gssapi

Yes, you can map the machine keytab to root in krb5.conf auth_to_local facility. Add somethign like this to the auth_to_local rules in the REALM section under [realms]: ``` RULE:[2:$1;$2](^host;my.keytab.hostname$)s/^.*$/root/ ```...

See auth_to_local diretive here: https://web.mit.edu/kerberos/krb5-1.20/doc/admin/conf_files/krb5_conf.html#realms

TBH I am not sure I ever tested anonymous support, so I am going to assume it is somewhat broken. I will try to validate and then add GSS_C_MA_AUTH_INIT_ANON as...

I currently do not allow anon: ``` if (claimant_cred_handle == GSS_C_NO_CREDENTIAL) { if (req_flags & GSS_C_ANON_FLAG) { set_GSSERRS(ERR_NOARG, GSS_S_UNAVAILABLE); goto done; ```

I am working on it, please do not close this issue :)

In MS-NLMP 3.1.5.2.1 "Client Receives a CHALLENGE_MESSAGE" it says: > If the CHALLENGE_MESSAGE TargetInfo field (section 2.2.1.2) has an MsvAvTimestamp present, the client SHOULD provide a MIC

Ok so I see quite a few differences in how the successful and unsuccessful client behave. The successful cliuent does not requist 56 bit security nor target info, and even...

So looking at the code the MIC field is not strictly required, however the check I made with the Server Time is incorrect. the spec indicates that a timestamp in...