auth: mech-gssapi - Remove KRB5_USEROK check

It should be there always these days. Enables cross-realm
and cross-identity authentication always.

diff --git a/m4/want_gssapi.m4 b/m4/want_gssapi.m4
index c834333bb22aab176db5fccce05f8ab524c08c46..ae60473a78688f65fe5cc8e4b4951277902eb9fc 100644 (file)
--- a/m4/want_gssapi.m4
+++ b/m4/want_gssapi.m4
@@ -40,11 +40,6 @@ AC_DEFUN([DOVECOT_WANT_GSSAPI], [
           ])
           AC_DEFINE(HAVE_GSSAPI,, [Build with GSSAPI support])
           AC_CHECK_HEADERS(gssapi/gssapi_ext.h gssapi_krb5.h gssapi/gssapi_krb5.h)
-          AC_CHECK_LIB(gss, __gss_userok, [
-            AC_DEFINE(HAVE___GSS_USEROK,,
-              [Define if you have __gss_userok()])
-            KRB5_LIBS="$KRB5_LIBS -lgss"
-          ],, $KRB5_LIBS)
 
           # MIT has a #define for Heimdal acceptor_identity, but it's way too
           # difficult to test for it..

diff --git a/src/auth/mech-gssapi.c b/src/auth/mech-gssapi.c
index 466cd4d508c80bfe84d8287a425faf4fbbeeeba1..66444a16df372579053e4560c2b19ebbf7bdf699 100644 (file)
--- a/src/auth/mech-gssapi.c
+++ b/src/auth/mech-gssapi.c
@@ -24,11 +24,6 @@
 
 #if defined(BUILTIN_GSSAPI) || defined(PLUGIN_BUILD)
 
-#ifndef HAVE___GSS_USEROK
-#  define USE_KRB5_USEROK
-#  include <krb5.h>
-#endif
-
 #ifdef HAVE_GSSAPI_GSSAPI_H
 #  include <gssapi/gssapi.h>
 #elif defined (HAVE_GSSAPI_H)
@@ -39,8 +34,6 @@
 #  include <gssapi/gssapi_krb5.h>
 #elif defined (HAVE_GSSAPI_KRB5_H)
 #  include <gssapi_krb5.h>
-#else
-#  undef USE_KRB5_USEROK
 #endif
 
 #ifdef HAVE_GSSAPI_GSSAPI_EXT_H
@@ -403,7 +396,6 @@ mech_gssapi_wrap(struct gssapi_auth_request *request, gss_buffer_desc inbuf)
        return 0;
 }
 
-#ifdef USE_KRB5_USEROK
 static bool
 k5_principal_is_authorized(struct auth_request *request, const char *name)
 {
@@ -480,7 +472,6 @@ mech_gssapi_krb5_userok(struct gssapi_auth_request *request,
        krb5_free_context(ctx);
        return authorized;
 }
-#endif
 
 static int
 mech_gssapi_userok(struct gssapi_auth_request *request, const char *login_user)
@@ -488,9 +479,6 @@ mech_gssapi_userok(struct gssapi_auth_request *request, const char *login_user)
        struct auth_request *auth_request = &request->auth_request;
        OM_uint32 major_status, minor_status;
        int equal_authn_authz;
-#ifdef HAVE___GSS_USEROK
-       int login_ok;
-#endif
 
        /* if authn and authz names equal, don't bother checking further. */
        major_status = gss_compare_name(&minor_status,
@@ -507,24 +495,6 @@ mech_gssapi_userok(struct gssapi_auth_request *request, const char *login_user)
        if (equal_authn_authz != 0)
                return 0;
 
-       /* handle cross-realm authentication */
-#ifdef HAVE___GSS_USEROK
-       /* Solaris */
-       major_status = __gss_userok(&minor_status, request->authn_name,
-                                   login_user, &login_ok);
-       if (GSS_ERROR(major_status) != 0) {
-               mech_gssapi_log_error(auth_request, major_status,
-                                     GSS_C_GSS_CODE, "__gss_userok failed");
-               return -1;
-       }
-
-       if (login_ok == 0) {
-               e_info(auth_request->mech_event,
-                      "User not authorized to log in as %s", login_user);
-               return -1;
-       }
-       return 0;
-#elif defined(USE_KRB5_USEROK)
        if (!mech_gssapi_krb5_userok(request, request->authn_name,
                                     login_user, TRUE)) {
                e_info(auth_request->mech_event,
@@ -533,13 +503,6 @@ mech_gssapi_userok(struct gssapi_auth_request *request, const char *login_user)
        }
 
        return 0;
-#else
-       e_info(auth_request->mech_event,
-              "Cross-realm authentication not supported "
-              "(authn_name=%s, authz_name=%s)",
-              request->auth_request.fields.original_username, login_user);
-       return -1;
-#endif
 }
 
 static void