On Mon May 19 10:31:52 2025 +0000, Hans Leidekker wrote:
I restored my test setup and compared packet captures with Wireshark. There's an obvious difference because we don't support SPNEGO in the Negotiate provider, instead we pass NTLM or Kerberos straight through which is also accepted by Windows. Even if NTLM is wrapped in SPNEGO the buffer layout is the same, i.e. the reverse of Kerberos, so there's no way around detecting the package in use. I'm attaching a patch that works here for Kerberos and NTLM. Does it work for you? [ldap.diff](/uploads/f17c839bd1ffed2b5f3d107e48437c8e/ldap.diff)
Thanks for working on this. Yes, this patch works for me. Obviously it needs a a patch that adds GSS_C_MUTUAL_FLAG (I'm adding also GSS_C_SEQUENCE_FLAG, but that's a minor detail), otherwise your patch basically just adds additional logic if the security package is NTLM.
What are next steps with this? Should I update MR with your diff as a separate patch?