I'd like to clarify some things a bit.
1. These (and other similar) patches are supposed to fix https://bugs.winehq.org/show_bug.cgi?id=55304 which is a regression since wine-7.22. 2. Before the offending commit ldap_bind_s(ld, LDAP_AUTH_NEGOTIATE) worked perfectly for a host that uses Kerberos authorization. 3. The configuration where it worked used libldap from Linux host. libldap uses Cyrus SASL GSSAPI plugin:https://github.com/cyrusimap/cyrus-sasl/blob/master/plugins/gssapi.c. This plugin a) uses GSS_C_MUTUAL_FLAG | GSS_C_SEQUENCE_FLAG | GSS_C_CONF_FLAG | GSS_C_INTEG_FLAG flags b) doesn't use GSS_C_DCE_STYLE c) treats output buffer as data + token.
So, the questions are
1. Did NTLM authorization work before switch to a bundled LDAP? How important is support for obsolete NTLM when preferred Kerberos is broken? Wouldn't it be better to have a working Kerberos support and later investigate if NTLM support could be added (if it worked at all before)? 2. What the point of discussing Kerberos specific RFC4752, DCE style, flags and output buffer format if the de-facto only SASL GSSAPI implementation used by libldap has the code that follows RFC4752 (https://github.com/cyrusimap/cyrus-sasl/blob/master/plugins/gssapi.c#L1597)? 3. Why invent something instead of using approach from a working GSSAPI plugin?