I've been trying to track down some problems with Dovecot in a Kerberos 5 cross-realm environment, and there seem to be a few issues. LOGIN/PLAIN work fine using pam_krb5, but GSSAPI is a bit harder to handle.

On line 436 of src/auth/mech-gssapi.c, the authn_name and the authz_name are compared using gss_compare_name. This dates back to the message at: http://dovecot.org/pipermail/dovecot/2005-October/009615.html

While everything within that message is true, as things stand, Dovecot is unusable in a cross-realm environment. When cross-realm tickets are used, the authn_name is "username@REALM" and the authz_name is "username" (or vice versa, I don't remember). The attached patch causes dovecot to display these two values in human-readable format to illustrate the issue. Because these two GSS names differ, Dovecot refuses to allow access in spite of the fact that krb5_kuserok would return TRUE.

I am not the only one to have noticed this problem: http://dovecot.org/pipermail/dovecot/2007-July/023868.html http://dovecot.org/pipermail/dovecot/2007-October/026027.html

Might I suggest that some more robust security checking be done instead of abusing gss_compare_name like this? I don't know how to do this using GSSAPI, but on the Kerberos side Heimdal provides the function krb5_kuserok. Dovecot could also just have a configurable file listing acceptable krb5 principals (preferably in .k5login syntax) and check that both auth_name and authz_name are in the list.

Bryan Jacobs