On Wed May 14 16:21:12 2025 +0000, Dmitry Timoshkov wrote:
No, it doesn't. Moreover adding ISC_REQ_USE_DCE_STYLE breaks Kerberos authentication with working sasl_encode/sasl/decode. As explained in the patches sasl_encode() needs to properly construct output buffer placing trailer at the end of the buffer, and sasl_decode() should treat input buffer as data+trailer like https://github.com/cyrusimap/cyrus-sasl/blob/master/plugins/gssapi.c does.
ISC_REQ_USE_DCE_STYLE is what we use every else and it uses a different buffer layout, so I thought it was worth a shot. We want to avoid making assumptions about buffer layout here since that defeats the purpose of Negotiate (and SASL). I wonder if this should be fixed in the Negotiate provider instead. Currently we simply pass through to Kerberos/NTLM, perhaps that's not correct.