On Tue, Aug 12, 2008 at 10:23:19PM +0200, Angel Marin wrote:
Jason Gunthorpe wrote:
On Tue, Aug 12, 2008 at 10:27:40AM +0200, Angel Marin wrote:
I cooked this up while trying to figure out why thunderbird on Windows w/ SSPI was not working, but it turned out thunderbird does not use it, so I haven't been able to test it yet. I'm presenting it for discussion only, unless someone else can try it :)
Jason Gunthorpe wrote: thunderbird does all combinations of GSS auth w/ & w/o SSPI I've ever tried; it's just a pain to find the correct combination of network.negotiate-auth.* and network.auth.use-sspi settings for any given case :) (plus enabling secure auth for the TB account at test)
Really? I was looking through the source to TB and I can't find where it would use AUTH=GSS-SPNEGO..
ok now rereading it again, I didn't make it clear what part of your message I was referring to :)
I was just addressing the 'why thunderbird on Windows w/ SSPI was not working' part pointing out that thunderbird can do SSPI and that it should work tweaking the appropriate options.
Oh right, in the end it did work. It turned out thunderbird was trying to use a different SPN than the linux environment. Since that SPN was not configured in AD thunderbird just bailed with an unhelpfull message :(
FWIW, near as I can tell, thunderbird seems to use an SPN derived from the SSL cetrficate on Windows while on Linux it uses an SPN derived from the reverse lookup of the server's IP.
In the end configuring the alternative SPN and using the multihoming patch I sent out made it all work.
Now only outlook does not do single sign on.. Has anyone got outlook and dovecot to do SSO? Does the NTLM winbind patch make that work?
Thanks, Jason