[Dovecot] Patch for Dovecot 1.0.1 to support cross realm GSSAPI authentication

Peter Eriksson peter at ifm.liu.se
Mon Jul 2 19:08:23 EEST 2007 

Please find enclosed two patch files (one for configure.in and one for 
src/mech/auth-gssapi.c) that fixes a problem in the GSSAPI code that 
prevented Dovecot to successfully authenticate when using cross-realm
Kerberos credentials.

Unfortunately I think it'll only work on Solaris (it uses the 
undocummented call __gss_userok() - however I think that there
have been proposals on making that into an official one called 
gss_userok() - so perhaps some operating systems already have it? It 
basically calls the underlying krb5_userok() function that does the 
right stuff).

Our setup is like this:

1. Windows XP PC that authenticates against a normal Windows 2003
    AD server in the AD realm "AD.IFM.LIU.SE"

2. Solaris 10 server that authenticates against a normal Kerberos KDC
    in the Kerberos realm "IFM.LIU.SE"

3. Cross-realm trust between AD.IFM.LIU.SE and IFM.LIU.SE has been
    configured (varios steps needed - both on the Unix side and on the
    Windows sides (both on the AD servers and on the client).

4. On the Solaris server the /etc/krb5/krb5.conf files has been
    configured like this:
[
    libdefaults]
         default_realm = IFM.LIU.SE

    [realms]
         IFM.LIU.SE = {
                 kdc = as-master.ifm.liu.se
                 kdc = as-slave.ifm.liu.se
                 admin_server = as-master.ifm.liu.se
                 auth_to_local_realm = AD.IFM.LIU.SE
         }

         AD.IFM.LIU.SE = {
                 kdc = ad-master.ad.ifm.liu.se
                 kdc = ad-slave.ad.ifm.liu.se
                 admin_server = ad-master.ifm.liu.se
                 kpasswd_protocol = SET_CHANGE
         }

5. I use Thunderbird 2 on the PC to connect to the Dovecot server with
    the AD-aquired credentials and with the patch above it works
    correctly.

Without the patch then Dovecot will fail since the code that does
the GSSAPI authentication fails at gss_compare_names().
(that code only works if the credentials used are from the local realm)

(The cross-realm setup also works with Quest Putty so you can do 
passwordless SSH logins from your AD-connected PC to the Unix servers, 
and get a delegated AD ticket so that Secure NFS also works).

Storing of delegated tickets is something that my patch above doesn't 
solve. It shouldn't be that hard to implement though - you basically 
just have to call gss_store_cred() at the right place in Dovecot (when 
you've switched to the right userid, and preferable after having called 
some PAM setup functions) - can be useful if you ever want to run 
Dovecot and access a Secure NFS protected remote filesystem...

- Peter

-------------- next part --------------
A non-text attachment was scrubbed...
Name: configure.in.diff
Type: text/x-patch
Size: 999 bytes
Desc: not available
Url : http://dovecot.org/pipermail/dovecot/attachments/20070702/39a4849f/attachment.bin 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: mech-gssapi.c.diff
Type: text/x-patch
Size: 2966 bytes
Desc: not available
Url : http://dovecot.org/pipermail/dovecot/attachments/20070702/39a4849f/attachment-0001.bin 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: peter.vcf
Type: text/x-vcard
Size: 402 bytes
Desc: not available
Url : http://dovecot.org/pipermail/dovecot/attachments/20070702/39a4849f/attachment.vcf

More information about the dovecot mailing list