From: Timo Sirainen <tss@iki.fi>
Date: Mon, 4 Aug 2008 21:33:09 +0000 (-0400)
Subject: gssapi: Make auth_krb5_keytab work by calling _register_acceptor_identity()
X-Git-Tag: 1.2.alpha1~93
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=448723dc1c12b126dd2d348d4ce385203abbaa7d;p=thirdparty%2Fdovecot%2Fcore.git

gssapi: Make auth_krb5_keytab work by calling _register_acceptor_identity()
instead of relying on KRB5_KTNAME environment to be picked up.

--HG--
branch : HEAD
---

diff --git a/configure.in b/configure.in
index 9340fd1d64..d84bb5726a 100644
--- a/configure.in
+++ b/configure.in
@@ -1782,6 +1782,13 @@ if test $want_gssapi != no; then
 					KRB5_LIBS="$KRB5_LIBS -lgss"
 				],, $KRB5_LIBS)
 
+				# MIT has a #define for Heimdal acceptor_identity, but it's way too
+				# difficult to test for it..
+				old_LIBS=$LIBS
+				LIBS="$LIBS $KRB5_LIBS"
+				AC_CHECK_FUNCS(gsskrb5_register_acceptor_identity krb5_gss_register_acceptor_identity)
+				LIBS=$old_LIBS
+
 				if test x$want_gssapi_plugin != xyes; then
 				  AUTH_LIBS="$AUTH_LIBS $KRB5_LIBS"
 				  AUTH_CFLAGS="$AUTH_CFLAGS $KRB5_CFLAGS"
diff --git a/src/auth/mech-gssapi.c b/src/auth/mech-gssapi.c
index 06eb7ec311..3f570a15f3 100644
--- a/src/auth/mech-gssapi.c
+++ b/src/auth/mech-gssapi.c
@@ -71,6 +71,8 @@ struct gssapi_auth_request {
 	pool_t pool;
 };
 
+static bool gssapi_initialized = FALSE;
+
 static void auth_request_log_gss_error(struct auth_request *request,
 				       OM_uint32 status_value, int status_type,
 				       const char *description)
@@ -94,11 +96,30 @@ static void auth_request_log_gss_error(struct auth_request *request,
 	} while (message_context != 0);
 }
 
+static void mech_gssapi_initialize(void)
+{
+	const char *path;
+
+	path = getenv("KRB5_KTNAME");
+	if (path != NULL) {
+#ifdef HAVE_GSSKRB5_REGISTER_ACCEPTOR_IDENTITY
+		gsskrb5_register_acceptor_identity(path);
+#elif defined (HAVE_KRB5_GSS_REGISTER_ACCEPTOR_IDENTITY)
+		krb5_gss_register_acceptor_identity(path);
+#endif
+	}
+}
+
 static struct auth_request *mech_gssapi_auth_new(void)
 {
 	struct gssapi_auth_request *request;
 	pool_t pool;
 
+	if (!gssapi_initialized) {
+		gssapi_initialized = TRUE;
+		mech_gssapi_initialize();
+	}
+
 	pool = pool_alloconly_create("gssapi_auth_request", 1024);
 	request = p_new(pool, struct gssapi_auth_request, 1);
 	request->pool = pool;
diff --git a/src/master/auth-process.c b/src/master/auth-process.c
index 2a7326ad45..9d185397e8 100644
--- a/src/master/auth-process.c
+++ b/src/master/auth-process.c
@@ -488,7 +488,8 @@ static void auth_set_environment(struct auth_settings *set)
 	if (set->ntlm_use_winbind)
 		env_put("NTLM_USE_WINBIND=1");
 	if (*set->krb5_keytab != '\0') {
-		/* Environment used by Kerberos 5 library directly */
+		/* Environment may be used by Kerberos 5 library directly,
+		   although we also try to use it directly as well */
 		env_put(t_strconcat("KRB5_KTNAME=", set->krb5_keytab, NULL));
 	}
 	if (*set->gssapi_hostname != '\0') {