Re: cyrus-imapd and kerberos

Thu, 11 Feb 2010 04:26:03 -0800 

On the heimdal-discuss mailing list, the patch below has been
pretty heavily discussed:

On 2010-01-18 07:37, Alec Kloss wrote:
> On 2010-01-17 23:56, Jeffrey Hutzelman wrote:
> > --On Saturday, January 16, 2010 12:43:00 PM -0500 Ken Raeburn 
> > <raeb...@mit.edu> wrote:
> > 
> > >but I haven't tweaked the server side to see if the Cyrus IMAP server
> > >will accept a service principal name that isn't the one generated from
> > >the local host name.)
> > 
> > Cyrus SASL, and thus the Cyrus IMAP server, can be configured to accept a 
> > service principal name generated from an arbitrary hostname; it need not be 
> > the same as the host's actual name.  However, it cannot be configured to 
> > accept multiple SPN's, or "any SPN for which I have a keytab entry", or 
> > anything useful like that.  That is, it insists on building a service name 
> > and obtaining a credental for a specific service, rather than simply using 
> > CSS_C_NO_CREDENTIAL like all right-thinking acceptors.
> > 
> > :-(
> > 
> 
> Anyone have comments about this patch to SASL?
> 
> 
> --- ./plugins/gssapi.c.orig   2008-09-11 15:13:32.000000000 -0500
> +++ ./plugins/gssapi.c        2008-10-30 12:33:48.000000000 -0500
> @@ -693,7 +693,7 @@
>           
>           GSS_LOCK_MUTEX(params->utils);
>           maj_stat = gss_acquire_cred(&min_stat, 
> -                                     text->server_name,
> +                                     GSS_C_NO_NAME,
>                                       GSS_C_INDEFINITE, 
>                                       GSS_C_NO_OID_SET,
>                                       GSS_C_ACCEPT,
> 
> -- 
> Alec Kloss  a...@setfilepointer.com   IM: daemona...@gmail.com
> PGP key at http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xA241980E
> "No Bunny!" -- Simon, http://wiki.adultswim.com/xwiki/bin/Frisky+Dingo/Simon


No one there has come up with a compelling argument why it
shouldn't be applied to SASL in general, perhaps enhanced to allow
an administrator to specify a specific name to override the new
default of GSS_C_NO_NAME..

Thoughts?

-- 
Alec Kloss  a...@setfilepointer.com   IM: daemona...@gmail.com
PGP key at http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xA241980E
"No Bunny!" -- Simon, http://wiki.adultswim.com/xwiki/bin/Frisky+Dingo/Simon

Attachment: pgpe3gOIv6rjw.pgp
Description: PGP signature

Reply via email to