[Dovecot] gssapi auth issue...
Dan Price
dp at eng.sun.com
Tue Mar 27 08:37:08 EEST 2007
Hi all-- been away from the list for a few weeks so forgive me
if this problem has been reported-- with the help of some
of our Kerberos engineers, we tracked down why we can't
authenticate our Solaris kerberos clients to Dovecot.
Here's the deal: Our IT organization issued us kerberos tickets of the form
imap at foobar.sfbay.sun.com
Which I presume is their standard-- and probably not negotiable.
However, the hostname of the machine is: "foobar", not foobar.sfbay.sun.com
(as reported by gethostname(3c)).
So when dovecot does this:
mech-gssapi.c:
principal_name = t_str_new(128);
str_append(principal_name, service_name);
str_append_c(principal_name, '@');
---> str_append(principal_name, my_hostname);
We wind up asking kerberos to look for a ticket for imap at foobar,
instead of imap at foobar.sfbay.sun.com.
Obviously we can patch the source, but I was wondering if we could
have a gssapi_hostname setting in the config file? Or perhaps
we could have a knob letting us globally override my_hostname? Although I
don't know what side effects that could have.
We have some new cores I also need to report-- I'll get on that.
Thanks in advance,
-dp
--
Daniel Price - Solaris Kernel Engineering - dp at eng.sun.com - blogs.sun.com/dp
More information about the dovecot
mailing list