[Dovecot] [PATCH] Support GSS-SPNEGO natively

Jason Gunthorpe jgunthorpe at obsidianresearch.com
Tue Aug 12 09:44:36 EEST 2008 

I cooked this up while trying to figure out why thunderbird on Windows
w/ SSPI was not working, but it turned out thunderbird does not use
it, so I haven't been able to test it yet. I'm presenting it for
discussion only, unless someone else can try it :)

Modern versions of MIT kerberos support GSS-SPNEGO natively, but are
only willing to negotiate for kerberos tickets and not NTLM
messages. 

This is how the SPNEGO works in libapache-mod-auth-kerb-5.3 which
simply passes SPNEGO packets directly to gssapi if the library is new
enough. There is even a configure feature test for the gssapi library
in that packages configure script. Note that Debian etch's standard
kerb libaries (1.4) are not good enough for this.

Having this work means the other gssapi policy knobs in dovecot, like
auth_gssapi_hostname, work properly. Instead of 'whatever it is that
samba does'. I guess it fixes the concerns about winbind
accesses blocking (although don't the gssapi calls block??)

In light of this it is really only useful to use winbind if you want
to support NTLM as kerberos will do the necessary exchanges with the
kdc for an Active Directory domain. In truth a proper and complete
design would somehow layer the built in NTLM module under the SPNEGO
negotiation and only pass NTLM messages off to samba but I doubt
anyone cares with NTLM being rather obsolete.

--- dovecot-1.0.13/src/auth/mech-gssapi.c   2007-12-11 11:52:08.000000000 -0700
+++ dovecot-1.0.13-jgg/src/auth/mech-gssapi.c       2008-08-11 23:52:15.000000000 -0600
@@ -417,4 +424,21 @@
        mech_gssapi_auth_free
 };
 
+/* MTI Kerberos > 1.5 supports SPNEGO for Kerberos tickets internally.
+   Nothing else needs to be done here. Note however that this does not
+   support SPNEGO when the only available credential is NTLM.. */
+const struct mech_module mech_gssapi_spnego = {
+        "GSS-SPNEGO",
+
+        MEMBER(flags) 0,
+
+        MEMBER(passdb_need_plain) FALSE,
+        MEMBER(passdb_need_credentials) FALSE,
+
+        mech_gssapi_auth_new,
+        mech_gssapi_auth_initial,
+        mech_gssapi_auth_continue,
+        mech_gssapi_auth_free
+};
+
 #endif
--- dovecot-1.0.13/src/auth/mech.c  2007-12-11 11:52:08.000000000 -0700
+++ dovecot-1.0.13-jgg/src/auth/mech.c      2008-08-11 21:30:56.000000000 -0600
@@ -72,6 +72,7 @@
 extern struct mech_module mech_anonymous;
 #ifdef HAVE_GSSAPI
 extern struct mech_module mech_gssapi;
+extern struct mech_module mech_gssapi_spnego;
 #endif
 
 void mech_init(void)
@@ -86,6 +87,7 @@
        mech_register_module(&mech_anonymous);
 #ifdef HAVE_GSSAPI
        mech_register_module(&mech_gssapi);
+       mech_register_module(&mech_gssapi_spnego);
 #endif
 }
 
@@ -101,5 +103,6 @@
        mech_unregister_module(&mech_anonymous);
 #ifdef HAVE_GSSAPI
        mech_unregister_module(&mech_gssapi);
+       mech_unregister_module(&mech_gssapi_spnego);
 #endif
 }

More information about the dovecot mailing list