> > > I guess this fixes it again: > > > http://hg.dovecot.org/dovecot-1.2/rev/f4ff64dd79a9 > > > > We've tested dovecot with all four available patches (it means up to date > > mech-gssapi.c ) and it wokrs. > > I've been talking with the main Heimdal guy and he thinks that kind of > checking is scary bad. > > One thing that should change at least is that gss_display_name() > shouldn't be passed to krb5_parse_name(). Instead gss_export_name() > should be used and its results checked and passed to krb5_parse_name() > (OpenSSH does this too). But I don't know if that would solve the > original problem that required me to add the patch mentioned above. > > One thing I'm not really sure about in Kerberos is, does both MIT and > Heimdal require that you are using system users and to have NSS set up > in a way that Kerberos code can look up users with getpw*() functions? I > think that's the main thing that krb5_kuserok() does that > gss_compare_name() doesn't. But does Kerberos do the same check > elsewhere and this isn't really a problem after all? If it doesn't check > user's existence elsewhere, maybe I could just use gss_export_name()s > and compare them instead of display names?..
Unfortunately my Kerberos knowledge is almost equal to zero, so I can't help with theory, sorry.