I found two problems with SPNEGO and the conversation between the
initiator and the acceptor.  One is that if the initiator produces the
final mechanism token it doesn't send it to the acceptor who is waiting
for it.  The other is that if the mechanism doesn't set
GSS_C_INTEG_FLAG, the acceptor never sets the state to ACCEPT_COMPLETE.
This fixed both problems for us:


Index: src/lib/gssapi/spnego/spnego_mech.c
===================================================================
--- src/lib/gssapi/spnego/spnego_mech.c	(revision 23482)
+++ src/lib/gssapi/spnego/spnego_mech.c	(working copy)
@@ -652,8 +652,9 @@
 		 * mech not finished and mech token missing
 		 */
 		ret = GSS_S_DEFECTIVE_TOKEN;
-	} else if (sc->mic_reqd &&
-		   (sc->ctx_flags & GSS_C_INTEG_FLAG)) {
+	} else if (*acc_negState == ACCEPT_INCOMPLETE ||
+	           (sc->mic_reqd &&
+		    (sc->ctx_flags & GSS_C_INTEG_FLAG))) {
 		*negState = ACCEPT_INCOMPLETE;
 		*tokflag = CONT_TOKEN_SEND;
 		ret = GSS_S_CONTINUE_NEEDED;
@@ -1534,6 +1535,11 @@
 			sc->mic_reqd = 0;
 		}
 #endif
+
+		if (sc->mic_reqd && !(sc->ctx_flags & GSS_C_INTEG_FLAG))
{
+			sc->mic_reqd = 0;
+		}
+
 		sc->mech_complete = 1;
 		if (ret_flags != NULL)
 			*ret_flags = sc->ctx_flags;