[Dovecot] [PATCH] Support GSS-SPNEGO natively
Jason Gunthorpe
jgunthorpe at obsidianresearch.com
Tue Aug 12 23:29:19 EEST 2008
On Tue, Aug 12, 2008 at 10:23:19PM +0200, Angel Marin wrote:
> Jason Gunthorpe wrote:
> > On Tue, Aug 12, 2008 at 10:27:40AM +0200, Angel Marin wrote:
> >> Jason Gunthorpe wrote:
> >>> I cooked this up while trying to figure out why thunderbird on Windows
> >>> w/ SSPI was not working, but it turned out thunderbird does not use
> >>> it, so I haven't been able to test it yet. I'm presenting it for
> >>> discussion only, unless someone else can try it :)
> >> thunderbird does all combinations of GSS auth w/ & w/o SSPI I've ever
> >> tried; it's just a pain to find the correct combination of
> >> network.negotiate-auth.* and network.auth.use-sspi settings for any
> >> given case :) (plus enabling secure auth for the TB account at test)
> >
> > Really? I was looking through the source to TB and I can't find where
> > it would use AUTH=GSS-SPNEGO..
>
> ok now rereading it again, I didn't make it clear what part of your
> message I was referring to :)
>
> I was just addressing the 'why thunderbird on Windows w/ SSPI was not
> working' part pointing out that thunderbird can do SSPI and that it
> should work tweaking the appropriate options.
Oh right, in the end it did work. It turned out thunderbird was trying
to use a different SPN than the linux environment. Since that SPN was
not configured in AD thunderbird just bailed with an unhelpfull
message :(
FWIW, near as I can tell, thunderbird seems to use an SPN
derived from the SSL cetrficate on Windows while on Linux it uses an
SPN derived from the reverse lookup of the server's IP.
In the end configuring the alternative SPN and using the multihoming
patch I sent out made it all work.
Now only outlook does not do single sign on.. Has anyone got outlook
and dovecot to do SSO? Does the NTLM winbind patch make that work?
Thanks,
Jason
More information about the dovecot
mailing list