I've written a GSSAPI cross-realm auth patch for people not lucky enough to have the __gss_userok function, though it should apply pretty cleanly with that patch in place as well. The patch is available at: http://zinux.cynicbytrade.com/svn/servers/dovecot/cross-realm.diff.bz2 It works for me on MIT-kerb, and I tested compilation against heimdal, but I don't have a cross-realm setup to test functionality under heimdal (though I also have no reason to think it wouldn't work). Since neither MIT nor heimdal provide a gss_userok() function, I used the krb5_userok() function. So if you're using a mechanism other than krb5 this won't work. But it's the same thing that OpenSSH and the apps distributed with heimdal do, so it seemed relatively safe. I also choose to append the krb5_userok() check rather than replace the gss_compare_name() check -- that way same-realm auth works for non-krb5 mechanisms, and my new code doesn't get called unless the same-realm check fails. If you don't care about other mechanisms it would be faster to bypass the gss_compare_name() check entirely. If this is something you'd like to mainline I'd be happy to standardize the coding style -- just point me to a style definition document. And if it doesn't hit the mainline I expect to maintain it for the foreseeable future, with updates at the same URL. Zach