Hi all-- been away from the list for a few weeks so forgive me
if this problem has been reported-- with the help of some
of our Kerberos engineers, we tracked down why we can't
authenticate our Solaris kerberos clients to Dovecot.
Here's the deal: Our IT organization issued us kerberos tickets of the form
imap at foobar.sfbay.sun.com
Which I presume is their standard-- and probably not negotiable.
However, the hostname of the machine is: "foobar", not
foobar.sfbay.sun.com
(as reported by gethostname(3c)).
So when dovecot does this:
mech-gssapi.c:
principal_name = t_str_new(128);
str_append(principal_name, service_name);
str_append_c(principal_name, '@');
---> str_append(principal_name, my_hostname);
We wind up asking kerberos to look for a ticket for imap at foobar,
instead of imap at foobar.sfbay.sun.com.
Obviously we can patch the source, but I was wondering if we could
have a gssapi_hostname setting in the config file? Or perhaps
we could have a knob letting us globally override my_hostname? Although I
don't know what side effects that could have.
We have some new cores I also need to report-- I'll get on that.
Thanks in advance,
-dp
--
Daniel Price - Solaris Kernel Engineering - dp at eng.sun.com - blogs.sun.com/dp
On March 26, 2007 10:37:08 PM -0700 Dan Price <dp at eng.sun.com> wrote:> > Hi all-- been away from the list for a few weeks so forgive me > if this problem has been reported-- with the help of some > of our Kerberos engineers, we tracked down why we can't > authenticate our Solaris kerberos clients to Dovecot. > > Here's the deal: Our IT organization issued us kerberos tickets of the > form > > imap at foobar.sfbay.sun.com > > Which I presume is their standard-- and probably not negotiable. > However, the hostname of the machine is: "foobar", not > foobar.sfbay.sun.com (as reported by gethostname(3c)).That's broken. When using Kerberos, hostnames need to be FQDN's. -frank
On Mon, 2007-03-26 at 22:37 -0700, Dan Price wrote:> Obviously we can patch the source, but I was wondering if we could > have a gssapi_hostname setting in the config file?Done: http://dovecot.org/list/dovecot-cvs/2007-March/008389.html http://dovecot.org/list/dovecot-cvs/2007-March/008390.html http://dovecot.org/list/dovecot-cvs/2007-March/008391.html -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: <http://dovecot.org/pipermail/dovecot/attachments/20070328/20159935/attachment.bin>