Hi all-- been away from the list for a few weeks so forgive me if this problem has been reported-- with the help of some of our Kerberos engineers, we tracked down why we can't authenticate our Solaris kerberos clients to Dovecot.

Here's the deal: Our IT organization issued us kerberos tickets of the form

    imap@foobar.sfbay.sun.com

Which I presume is their standard-- and probably not negotiable. However, the hostname of the machine is: "foobar", not foobar.sfbay.sun.com (as reported by gethostname(3c)).

So when dovecot does this:

mech-gssapi.c: principal_name = t_str_new(128); str_append(principal_name, service_name); str_append_c(principal_name, '@'); ---> str_append(principal_name, my_hostname);

We wind up asking kerberos to look for a ticket for imap@foobar, instead of imap@foobar.sfbay.sun.com.

Obviously we can patch the source, but I was wondering if we could have a gssapi_hostname setting in the config file? Or perhaps we could have a knob letting us globally override my_hostname? Although I don't know what side effects that could have.

We have some new cores I also need to report-- I'll get on that.

Thanks in advance,

    -dp

-- Daniel Price - Solaris Kernel Engineering - dp@eng.sun.com - blogs.sun.com/dp