Please find enclosed two patch files (one for configure.in and one for src/mech/auth-gssapi.c) that fixes a problem in the GSSAPI code that prevented Dovecot to successfully authenticate when using cross-realm Kerberos credentials.
Unfortunately I think it'll only work on Solaris (it uses the undocummented call __gss_userok() - however I think that there have been proposals on making that into an official one called gss_userok() - so perhaps some operating systems already have it? It basically calls the underlying krb5_userok() function that does the right stuff).
Our setup is like this:
Windows XP PC that authenticates against a normal Windows 2003 AD server in the AD realm "AD.IFM.LIU.SE"
Solaris 10 server that authenticates against a normal Kerberos KDC in the Kerberos realm "IFM.LIU.SE"
Cross-realm trust between AD.IFM.LIU.SE and IFM.LIU.SE has been configured (varios steps needed - both on the Unix side and on the Windows sides (both on the AD servers and on the client).
On the Solaris server the /etc/krb5/krb5.conf files has been configured like this: [ libdefaults] default_realm = IFM.LIU.SE
[realms] IFM.LIU.SE = { kdc = as-master.ifm.liu.se kdc = as-slave.ifm.liu.se admin_server = as-master.ifm.liu.se auth_to_local_realm = AD.IFM.LIU.SE }
AD.IFM.LIU.SE = { kdc = ad-master.ad.ifm.liu.se kdc = ad-slave.ad.ifm.liu.se admin_server = ad-master.ifm.liu.se kpasswd_protocol = SET_CHANGE }I use Thunderbird 2 on the PC to connect to the Dovecot server with the AD-aquired credentials and with the patch above it works correctly.
Without the patch then Dovecot will fail since the code that does the GSSAPI authentication fails at gss_compare_names(). (that code only works if the credentials used are from the local realm)
(The cross-realm setup also works with Quest Putty so you can do passwordless SSH logins from your AD-connected PC to the Unix servers, and get a delegated AD ticket so that Secure NFS also works).
Storing of delegated tickets is something that my patch above doesn't solve. It shouldn't be that hard to implement though - you basically just have to call gss_store_cred() at the right place in Dovecot (when you've switched to the right userid, and preferable after having called some PAM setup functions) - can be useful if you ever want to run Dovecot and access a Secure NFS protected remote filesystem...
- Peter