While toying around I noticed the GSSAPI mechanism doesn't work in dovecot.
I think the BUILTIN_GSSAPI define is missing prohibiting registration of the GSSAPI mechansim. see: src/auth/mech-gssapi.c, src/auth/mech.c This replacement of the 'patch-configure_in' file made it possible for me to authenticate using GSSAPI. It just adds the line: AC_DEFINE(BUILTIN_GSSAPI,, GSSAPI support is built in) (since I was just playing with dovecot, consider it (very) lightly tested) --- configure.in.orig Wed Feb 4 00:41:16 2009 +++ configure.in Sun Jul 5 18:15:05 2009 @@ -13,6 +13,7 @@ AC_HEADER_STDC AC_C_INLINE AC_PROG_LIBTOOL +LIBS="${LIBS} -liconv" AM_ICONV AC_CHECK_HEADERS(strings.h stdint.h unistd.h dirent.h malloc.h inttypes.h \ @@ -1797,74 +1798,16 @@ have_gssapi=no if test $want_gssapi != no; then - AC_CHECK_PROG(KRB5CONFIG, krb5-config, YES, NO) - if test $KRB5CONFIG = YES; then - if ! krb5-config --version gssapi 2>/dev/null > /dev/null; then - # krb5-config doesn't support gssapi. - KRB5_LIBS="`krb5-config --libs`" - KRB5_CFLAGS=`krb5-config --cflags` - AC_CHECK_LIB(gss, gss_acquire_cred, [ - # Solaris - KRB5_LIBS="$KRB5_LIBS -lgss" - ], [ - # failed - KRB5_LIBS= - ], $KRB5_LIBS) - else - KRB5_LIBS=`krb5-config --libs gssapi` - KRB5_CFLAGS=`krb5-config --cflags gssapi` - fi - if test "$KRB5_LIBS" != ""; then - AC_SUBST(KRB5_LIBS) - AC_SUBST(KRB5_CFLAGS) - - # Although krb5-config exists, all systems still don't - # have gssapi.h - old_CFLAGS=$CFLAGS - CFLAGS="$CFLAGS $KRB5_CFLAGS" - AC_CHECK_HEADER([gssapi/gssapi.h], [ - AC_DEFINE(HAVE_GSSAPI_GSSAPI_H,, GSSAPI headers in gssapi/gssapi.h) - have_gssapi=yes - ]) - AC_CHECK_HEADER([gssapi.h], [ - AC_DEFINE(HAVE_GSSAPI_H,, GSSAPI headers in gssapi.h) - have_gssapi=yes - ]) - if test $have_gssapi = yes; then - AC_DEFINE(HAVE_GSSAPI,, Build with GSSAPI support) - AC_CHECK_HEADERS(gssapi/gssapi_ext.h gssapi_krb5.h gssapi/gssapi_krb5.h) - AC_CHECK_LIB(gss, __gss_userok, [ - AC_DEFINE(HAVE___GSS_USEROK,, - Define if you have __gss_userok()) - KRB5_LIBS="$KRB5_LIBS -lgss" - ],, $KRB5_LIBS) - - # MIT has a #define for Heimdal acceptor_identity, but it's way too - # difficult to test for it.. - old_LIBS=$LIBS - LIBS="$LIBS $KRB5_LIBS" - AC_CHECK_FUNCS(gsskrb5_register_acceptor_identity krb5_gss_register_acceptor_identity) - LIBS=$old_LIBS - - if test x$want_gssapi_plugin != xyes; then - AUTH_LIBS="$AUTH_LIBS $KRB5_LIBS" - AUTH_CFLAGS="$AUTH_CFLAGS $KRB5_CFLAGS" - AC_DEFINE(BUILTIN_GSSAPI,, GSSAPI support is built in) - else - have_gssapi_plugin=yes - fi - else - if test $want_gssapi = yes; then - AC_ERROR([Can't build with GSSAPI support: gssapi.h not found]) - fi - fi - CFLAGS=$old_CFLAGS - fi - else - if test $want_gssapi = yes; then - AC_ERROR([Can't build with GSSAPI support: krb5-config not found]) - fi - fi + # no krb5-config on OpenBSD, bring in the necessary libs and includes + # manually + AC_CHECK_HEADER([kerberosV/gssapi.h], [ + AC_DEFINE(HAVE_GSSAPI,, Build with GSSAPI support) + AC_DEFINE(HAVE_GSSAPI_H,, Build with GSSAPI support) + AC_DEFINE(HAVE_GSSKRB5_REGISTER_ACCEPTOR_IDENTITY,, Have the gsskrb5_register_acceptor_identity function) + AC_DEFINE(BUILTIN_GSSAPI,, GSSAPI support is built in) + have_gssapi=yes + ]) + AUTH_LIBS="$LIBS -lkrb5 -lgssapi -lcrypto" fi AM_CONDITIONAL(GSSAPI_PLUGIN, test "$have_gssapi_plugin" = "yes")