On 2013-01-06 at 09:18 +0000, Andy Bennett wrote:
> > Neither at present. The correct fix is to expand the heimdal_gssapi
> > authenticator to handle client-side authentication. This would be the
> > simplest, with fewer layers of abstraction to manipulate, and is newer
> > code (introduced with Exim 4.80).
>
> I'm running MIT Kerberos. Can heimdal_gssapi speak to that?
Almost. Per:
http://web.mit.edu/kerberos/krb5-1.3/README-1.3.1.txt
if you have MIT Kerberos of at least version 1.3, then you have the
functionality, but you'll need to change
`gsskrb5_register_acceptor_identity()` in the Exim source
(src/auths/heimdal_gssapi.c) to be
`krb5_gss_register_acceptor_identity()` instead.
I _think_ it's otherwise compatible. You might need to adjust include
header paths too -- I simply don't know.
If you see that working server-side, I can put some conditional
compilation in to alias the name for MIT.
-Phil