I cooked this up while trying to figure out why thunderbird on Windows w/ SSPI was not working, but it turned out thunderbird does not use it, so I haven't been able to test it yet. I'm presenting it for discussion only, unless someone else can try it :) Modern versions of MIT kerberos support GSS-SPNEGO natively, but are only willing to negotiate for kerberos tickets and not NTLM messages. This is how the SPNEGO works in libapache-mod-auth-kerb-5.3 which simply passes SPNEGO packets directly to gssapi if the library is new enough. There is even a configure feature test for the gssapi library in that packages configure script. Note that Debian etch's standard kerb libaries (1.4) are not good enough for this. Having this work means the other gssapi policy knobs in dovecot, like auth_gssapi_hostname, work properly. Instead of 'whatever it is that samba does'. I guess it fixes the concerns about winbind accesses blocking (although don't the gssapi calls block??) In light of this it is really only useful to use winbind if you want to support NTLM as kerberos will do the necessary exchanges with the kdc for an Active Directory domain. In truth a proper and complete design would somehow layer the built in NTLM module under the SPNEGO negotiation and only pass NTLM messages off to samba but I doubt anyone cares with NTLM being rather obsolete. --- dovecot-1.0.13/src/auth/mech-gssapi.c 2007-12-11 11:52:08.000000000 -0700 +++ dovecot-1.0.13-jgg/src/auth/mech-gssapi.c 2008-08-11 23:52:15.000000000 -0600 @@ -417,4 +424,21 @@ mech_gssapi_auth_free }; +/* MTI Kerberos > 1.5 supports SPNEGO for Kerberos tickets internally. + Nothing else needs to be done here. Note however that this does not + support SPNEGO when the only available credential is NTLM.. */ +const struct mech_module mech_gssapi_spnego = { + "GSS-SPNEGO", + + MEMBER(flags) 0, + + MEMBER(passdb_need_plain) FALSE, + MEMBER(passdb_need_credentials) FALSE, + + mech_gssapi_auth_new, + mech_gssapi_auth_initial, + mech_gssapi_auth_continue, + mech_gssapi_auth_free +}; + #endif --- dovecot-1.0.13/src/auth/mech.c 2007-12-11 11:52:08.000000000 -0700 +++ dovecot-1.0.13-jgg/src/auth/mech.c 2008-08-11 21:30:56.000000000 -0600 @@ -72,6 +72,7 @@ extern struct mech_module mech_anonymous; #ifdef HAVE_GSSAPI extern struct mech_module mech_gssapi; +extern struct mech_module mech_gssapi_spnego; #endif void mech_init(void) @@ -86,6 +87,7 @@ mech_register_module(&mech_anonymous); #ifdef HAVE_GSSAPI mech_register_module(&mech_gssapi); + mech_register_module(&mech_gssapi_spnego); #endif } @@ -101,5 +103,6 @@ mech_unregister_module(&mech_anonymous); #ifdef HAVE_GSSAPI mech_unregister_module(&mech_gssapi); + mech_unregister_module(&mech_gssapi_spnego); #endif }