On Jul 27, 2009, at 5:06 AM, Peter Eriksson wrote:

"mech-gssapi.c", line 276: undefined symbol: gss_mech_krb5
"mech-gssapi.c", line 276: warning: improper pointer/integer
combination: arg #2
..
"gss_mech_krb5" is not a valid variable on Solaris.

Oh, there are more GSSAPI implementations than just MIT and Heimdal? :)
Fixed: http://hg.dovecot.org/dovecot-1.2/rev/ac2e37e4c2c1

Do you really have to check that GSSAPI is using Kerberos? Why not
leave it up to the system to use whatever default authentication mechanism is choosen (currently that probably is Kerberos, but other things might
pop up in the future - you never now). The whole point of using GSSAPI
is that it should be agnostic to the authentication mechanism used "behind
the scenes"...

GSSAPI SASL mechanism is meant only for Kerberos. I don't really know why. RFC 4752 says:

Upon successful establishment of the security context (i.e., GSS_Accept_sec_context returns GSS_S_COMPLETE), the server SHOULD verify that the negotiated GSS-API mechanism is indeed Kerberos V5 [KRB5GSS]. This is done by examining the value of the mech_type parameter returned from the GSS_Accept_sec_context call. If the value differs, SASL authentication MUST be aborted.

Also Heimdal's author said that comparing GSSAPI display names is dangerous if this check isn't done. That's the main reason I added the check.

Another issue when building 1.2.2 that wasn't there with 1.2.1 is that
"-lsocket" seems
to be missing causing linking errors. One example:

Fixed: http://hg.dovecot.org/dovecot-1.2/rev/cd29b745c8dd

Reply via email to