On Jul 27, 2009, at 5:06 AM, Peter Eriksson wrote:
"mech-gssapi.c", line 276: undefined symbol: gss_mech_krb5 "mech-gssapi.c", line 276: warning: improper pointer/integer combination: arg #2 .. "gss_mech_krb5" is not a valid variable on Solaris.
Oh, there are more GSSAPI implementations than just MIT and Heimdal? :) Fixed: http://hg.dovecot.org/dovecot-1.2/rev/ac2e37e4c2c1
Do you really have to check that GSSAPI is using Kerberos? Why not leave it up to the system to use whatever default authentication
mechanism is choosen (currently that probably is Kerberos, but other things
might pop up in the future - you never now). The whole point of using GSSAPI is that it should be agnostic to the authentication mechanism used
"behind the scenes"...
GSSAPI SASL mechanism is meant only for Kerberos. I don't really know
why. RFC 4752 says:
Upon successful establishment of the security context (i.e.,
GSS_Accept_sec_context returns GSS_S_COMPLETE), the server SHOULD
verify that the negotiated GSS-API mechanism is indeed Kerberos V5
[KRB5GSS]. This is done by examining the value of the mech_type
parameter returned from the GSS_Accept_sec_context call. If the value
differs, SASL authentication MUST be aborted.
Also Heimdal's author said that comparing GSSAPI display names is
dangerous if this check isn't done. That's the main reason I added the
check.
Another issue when building 1.2.2 that wasn't there with 1.2.1 is that "-lsocket" seems to be missing causing linking errors. One example: