[Dovecot] Patch for Dovecot 1.0.1 to support cross realm GSSAPI authentication

Peter Eriksson peter at ifm.liu.se
Mon Jul 2 20:55:37 EEST 2007


Timo Sirainen skrev:
> On Mon, 2007-07-02 at 18:08 +0200, Peter Eriksson wrote:
>   
>> +                               AC_CHECK_LIB(gss, __gss_userok, [
>> +                                       AC_DEFINE(HAVE___GSS_USEROK,,
>> +                                               Define if you have __gss_userok())
>> +                               ]) 
>>     
>
> Instead of changing $LIBS, I think you can use:
>
> AC_CHECK_LIB(gss, __gss_userok, [ ...
> ],, `krb5-config --libs gssapi`)
>
>   
Ok, I'll try that instead (I used the changing stuff since similar stuff 
was done earlier (with CFLAGS) :-)

Btw. I think that the Heimdal implementation of GSSAPI has a similar 
function but called gss_userok() (without the leading two "_"
characters) that does something similar - and users of Heimdal around 
that can verify or deny that?


>> +#if 0 /* Added 070702 Peter Eriksson <peter at ifm.liu.se> - ref cyrus-sasl Solaris 8/9 has problems with NO_OID */
>> +                                      GSS_C_NT_USER_NAME,
>> +#else
>>                                        GSS_C_NO_OID,
>> +#endif
>>     
>
> Is this a common problem? Should it be a setting? Although with your
> change this code is never even executed, right?
>
>   
Dunno actually - When I was reading the Cyrus-SASL GSSAPI-code I saw 
that they have a configure-check for
GSS_C_NT_USER_NAME in their code base and a comment that Solaris 8/9 
doesn't like GSS_C_NO_OID
in that call so at first I thought that was the reason things didn't 
work - however it wasn't the problem I later figured out...

Anyway, as you can see I disabled that change (and with the 
_gcc_userid() code it's not used anyway).

>> +       name = p_strndup(request->auth_request.pool,
>> +                        (unsigned char *)outbuf.value + 4,
>> +                        outbuf.length - 4);
>> +
>> +       if (!name) {
>> +               auth_request_log_error(&request->auth_request,
>> "gssapi",
>> +                                      "Invalid response size");
>> +               auth_request_fail(&request->auth_request);
>> +               return;
>> +       }           
>>     
>
> name is never NULL.
>
>   
Ok, I'll remove those checks.

>> +               free(name);
>>     
>
> And you shouldn't free() it either.
>
>   
And I'll remove the free() calls too... :-)

I've uploaded new versions of the patches to:

    ftp://ftp.ifm.liu.se/pub/unix/dovecot/

I've also put a Solaris 10 SMF manifest there (dovecot.xml).

Btw, is it intentional that the first line in configure.in starts with 
an "x"?

- Peter



More information about the dovecot mailing list