On Fri, May 02, 2025 at 04:57:42AM +0200, Stephan Bosch wrote:
I am having some difficulty setting up an environment to test this right now, but I think this should fix it:
diff --git a/src/auth/mech-gssapi.c b/src/auth/mech-gssapi.c index 57a2b125b2..4ff5716528 100644 --- a/src/auth/mech-gssapi.c +++ b/src/auth/mech-gssapi.c @@ -672,7 +672,7 @@ mech_gssapi_auth_initial(struct auth_request *request,
if (data_size == 0) { /* The client should go first */ - auth_request_handler_reply_continue(request, NULL, 0); + auth_request_handler_reply_continue(request, uchar_empty_ptr, 0); } else { mech_gssapi_auth_continue(request, data, data_size); }
Thank you, this does seem to fix the issue. In case it helps, I've found the test script used by gsasl and libgssglue to be quite useful for testing this functionality. It sets up a minimal Kerberos realm, dovecot server, and GSSAPI IMAP client. A version that works with dovecot 2.4 is available at https://salsa.debian.org/noahm/libgssglue/-/blob/0504956891696208d412cceb912... noah