Re: [exim-dev] [Bug 1498] AUTH GSSAPI does not work with cro…

Top Page
Delete this message
Reply to this message
Author: Phil Pennock
Date:  
To: exim-dev
Subject: Re: [exim-dev] [Bug 1498] AUTH GSSAPI does not work with cross-realm
On 2014-07-01 at 23:18 +0000, Viktor Dukhovni wrote:
> I thought that the server's SASL ".conf" file can specify a "keytab"
> option in sufficiently recent versions of SASL.
>
>     https://cyrusimap.org/docs/cyrus-sasl/2.1.25/options.php

>
> Not sure how common support for this might be.


It's been there for a long time. I reference it in another update on
the bug.

Tried it, it didn't work with Cyrus SASL and Heimdal in combination, but
it looks like the doc for the environment variable was added by Phil
Hazel in 2006 and that was in response to my describing how to work
around the issue.

Note that this still isn't the SASL or GSSAPI interfaces providing a way
for an application to configure the location -- it's backdoor
configuration, in much the same way as the environment variable.

If recollection serves, I tried the ${appname}.conf approach again when
Heimdal broke environment variable usage, that was 2011 timeframe I
think, and the box would have been running cyrus-sasl-2.1.x. When that
still didn't work, I decided to cut the SASL layers out of the equation
and wrote an authentication driver directly against the GSSAPI
interface. I needed one non-GSSAPI library call to set the keytab file,
so ended up calling the new driver `heimdal_gssapi`.

It's the only approach which has worked reliably. The promise of a
common SASL library is great, the reality is often lacking. In fact, I
first wrote the `gsasl` driver, to try out a different SASL library and
discovered the same problems there. Only once I'd ruled out a sane way
with either cyrus-sasl or gsasl did I write the heimdal_gssapi driver.
But we shipped gsasl anyway, as it's still useful, and people have
usefully been able to make their non-GSSAPI Exim deployments more
operationally robust by cutting out the cyrus middle-man and having Exim
use the sasldb2 file directly with gsasl.

-Phil