search for: authz_nam

Hello, I'm trying to authenticate using GSSAPI, but getting this in dovecot.log "authn_name and authz_name differ: not supported". What is actually trying to say me? I've remeber once encounter this problem but it get away silently. I'm using Mozilla Thunderbird 3 beta 3 and Dovecot 1.0.15

Attached is a patch which in my environment (Linux/Heimdal 1.2.1) fixes cross-realm GSSAPI authentication. Changes it makes: 1. When using krb5_kuserok, do not call gss_compare_name to check that authn_name and authz_name are the same. Instead, make TWO calls to krb5_kuserok, one for each ID. If both IDs are acceptable, allow the login. 2. Disable checking that the name is a GSS_KRB5_PRINCIPAL_NAME, as this doesn't appear to be always the case for the authz_name. If I create a .k5login listing both username...

I've been trying to track down some problems with Dovecot in a Kerberos 5 cross-realm environment, and there seem to be a few issues. LOGIN/PLAIN work fine using pam_krb5, but GSSAPI is a bit harder to handle. On line 436 of src/auth/mech-gssapi.c, the authn_name and the authz_name are compared using gss_compare_name. This dates back to the message at: http://dovecot.org/pipermail/dovecot/2005-October/009615.html While everything within that message is true, as things stand, Dovecot is unusable in a cross-realm environment. When cross-realm tickets are used, the authn_nam...

...hn at EXAMPLE.COM,192.0.2.168): Negotiated security layer auth(default): client out: CONT 1 YD8GCSqGSIb3EgECAgIBBAD/////MINNkeu5LVS8fiZNSnb8j8iKBuHArr/sHec++VYV+9SSc+RkAf///wQEBAQ= auth(default): client in: CONT<hidden> auth(default): gssapi(john at EXAMPLE.COM,192.0.2.168): authz_name has NULs auth(default): client out: FAIL 1 user=john at EXAMPLE.COM imap-login: Disconnected (auth failed, 1 attempts): user=<john at EXAMPLE.COM>, method=GSSAPI, rip=192.0.2.168, lip=192.0.2.36, TLS: Disconnected ------------------------ I commented out the 'return -1;...

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, Attached is a patch against current CVS that adds support for the GSSAPI SASL mechanism. It was written from scratch, after reading the patch from Colin Walters against a much older version of dovecot. Other then support for the 'GSSAPI' mechanism, it contains the following changes: - - Added 'auth_krb5_keytab' option for

...No such file or directory mech-gssapi.c:42: error: syntax error before "gss_ctx_id_t" mech-gssapi.c:51: error: syntax error before "gss_name_t" mech-gssapi.c:58: error: syntax error before "OM_uint32" [snipped] mech-gssapi.c:387: error: structure has no member named `authz_name' *** Error code 1 Stop in /usr/local/src/dovecot/dovecot-1.0.alpha5/src/auth. *** Error code 1 Stop in /usr/local/src/dovecot/dovecot-1.0.alpha5/src. *** Error code 1 Any help is greatly appreciated -kim -- w8hdkim@gmail.com