I've been trying to track down some problems with Dovecot in a Kerberos 5 cross-realm environment, and there seem to be a few issues. LOGIN/PLAIN work fine using pam_krb5, but GSSAPI is a bit harder to handle. On line 436 of src/auth/mech-gssapi.c, the authn_name and the authz_name are compared using gss_compare_name. This dates back to the message at: http://dovecot.org/pipermail/dovecot/2005-October/009615.html While everything within that message is true, as things stand, Dovecot is unusable in a cross-realm environment. When cross-realm tickets are used, the authn_name is "username at REALM" and the authz_name is "username" (or vice versa, I don't remember). The attached patch causes dovecot to display these two values in human-readable format to illustrate the issue. Because these two GSS names differ, Dovecot refuses to allow access in spite of the fact that krb5_kuserok would return TRUE. I am not the only one to have noticed this problem: http://dovecot.org/pipermail/dovecot/2007-July/023868.html http://dovecot.org/pipermail/dovecot/2007-October/026027.html Might I suggest that some more robust security checking be done instead of abusing gss_compare_name like this? I don't know how to do this using GSSAPI, but on the Kerberos side Heimdal provides the function krb5_kuserok. Dovecot could also just have a configurable file listing acceptable krb5 principals (preferably in .k5login syntax) and check that both auth_name and authz_name are in the list. Bryan Jacobs -------------- next part -------------- A non-text attachment was scrubbed... Name: authnmis2.patch Type: text/x-patch Size: 1646 bytes Desc: not available URL: <http://dovecot.org/pipermail/dovecot/attachments/20090303/4452ebb0/attachment-0004.bin> -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: not available URL: <http://dovecot.org/pipermail/dovecot/attachments/20090303/4452ebb0/attachment-0005.bin>