Re: [Imap-uw] compile error in 2006a

Tue, 26 Sep 2006 13:57:48 -0700 

On Tue, 26 Sep 2006, David Severance wrote:

I was working getting 2006a running and ran into this compile time problem:
osdep.c: In function `checkpw':
osdep.c:116: error: syntax error before '-' token



Thank you.  Somehow, the imap-2006a/src/osdep/unix/ckp_gss.c file was 
damaged.  The following patch fixes it, and will be in imap-2006b:


*** ckp_gss.c~  2006-08-30 18:34:07.000000000 -0700
--- ckp_gss.c   2006-09-26 13:45:41.000000000 -0700
***************
*** 59,65 ****
         * to have separate client principals for different services, but many
         * other sites vehemently object...
         */
!       !krb5_parse_name (ctx,kerb_cp_svr_name ? cltnam : pw->-pw_name,
                          &crd->client) &&
        !krb5_parse_name (ctx,svrnam,&service) &&
        !krb5_build_principal_ext (ctx,&crd->server,
--- 59,65 ----
         * to have separate client principals for different services, but many
         * other sites vehemently object...
         */
!       !krb5_parse_name (ctx,kerb_cp_svr_name ? cltnam : pw->pw_name,
                          &crd->client) &&
        !krb5_parse_name (ctx,svrnam,&service) &&
        !krb5_build_principal_ext (ctx,&crd->server,





I'm looking to get to an install that can 
hopefully use an already granted kerberos ticket (from the original ssh 
login) and if there isn't one (because it's a remote imapd only connection) 
use the pam process to auth itself. Of course, maybe I'm going about this the 
wrong way too.


That isn't what PASSWDTYPE=gss does.


PASSWDTYPE=gss says that, when validating a plaintext password, use the 
user's Kerberos password rather than the password from /etc/passwd (or 
PAM).



On most modern systems, passwords are validated with PAM, and if you want 
to use the Kerberos password instead of the /etc/passwd password, you 
would generally do this in a PAM configuration rather than build imapd to 
look up the Kerberos password manually.




As for what you want to do, it should suffice to build the server with 
EXTRAAUTHENTICATORS=gss.  This will enable the GSSAPI SASL authenticator, 
and if the client has a Kerberos ticket it can then use GSSAPI SASL to 
authenticate to the server.  [Of course, this assumes that the client also 
supports GSSAPI.]


-- Mark --

http://staff.washington.edu/mrc
Science does not emerge from voting, party politics, or public debate.
Si vis pacem, para bellum.
_______________________________________________
Imap-uw mailing list
Imap-uw@u.washington.edu
https://mailman1.u.washington.edu/mailman/listinfo/imap-uw






















					Reply via email to