On Sat, Dec 16, 2017 at 07:07:47PM -0500, Mark Foley wrote: > On Date: Fri, 15 Dec 2017 11:36:33 -0600 Dan White <dwhite@xxxxxxx> wrote: > > > On 12/15/17?12:21?-0500, Mark Foley wrote: > > > > > >> I would personally not use saslauthd in the above manner [authenticating with > > >> sendmail]. If you have a controlled environment where your clients > > >> (Thunderbird) are known to support GSSAPI negotiation over the network, then > > >> configuring Sendmail to support GSSAPI directly is secure and recommended. > > > > > >The "configuring Sendmail to support GSSAPI directly" is the bit that got my > > >attention. To clarify, in order to do Sendmail and GSSAPI directly I *do* need > > >SASL, but *do not* need saslauthd, right? > > > > Yes, that's correct. You'd configure Sendmail to use the GSSAPI > > authentication plugin, but not PLAIN or LOGIN, which would make saslauthd > > irrelevant. > > But, I do need SASL for Sendmail, right? Just not saslauthd? > > Also, you mentioned in a previous email that to build sasl, in my ./configure, I > need: > > ./configure --enable-gssapi=<DIR> ./configure --help > > > The directory should point to to where your kerberos library and headers > > are installed. > > First of all, how did you know that's what "<DIR>" means? I couldn't find > anything about that on the website, in the installation instructions or in the > doc/ files, or by searching the web. > > Other than that, I have libraries from the Samba4 installation in: > > /usr/lib64/libkrb5samba-samba4.so > /usr/lib64/libheimntlm-samba4.so.1.0.1 > /usr/lib64/python2.7/site-packages/samba/dcerpc/krb5pac.so > /usr/lib64/libndr-krb5pac.so.0.0.1 > /usr/lib64/winbind_krb5_locator.so > /usr/lib64/gensec/krb5.so > /usr/lib64/libauthkrb5-samba4.so > /usr/lib64/libkrb5-samba4.so.26.0.0 > /usr/lib64/libheimbase-samba4.so.1.0.0 > > And Kerberos related Samaba4 header files in: > > /usr/include/openssl/krb5_asn.h > /usr/include/c++/5.3.0/javax/security/auth/kerberos/KerberosPrincipal.h > /usr/include/c++/5.3.0/javax/security/auth/kerberos/KerberosTicket.h > /usr/include/c++/5.3.0/javax/security/auth/kerberos/KerberosKey.h > /usr/include/samba-4.0/gen_ndr/ndr_krb5pac.h > /usr/include/samba-4.0/gen_ndr/krb5pac.h > /usr/local/include/gssapi/gssapi_krb5.h > /usr/local/include/krb5/krb5.h > /usr/local/include/krb5.h > ./configure --enable-gssapi=/usr/heimdal/lib --with-gss_impl=heimdal > I've also just installed Heimdal Kerberos. Libraries are in: > > /usr/heimdal/lib/libheimbase.so.1.0.0 > /usr/heimdal/lib/libheimedit.so.0.0.36 > /usr/heimdal/lib/libkrb5.so.26.0.0 > /usr/heimdal/lib/libheimsqlite.so.0.0.0 > /usr/heimdal/lib/libheimntlm.so.0.1.0 > > and these newly installed header files are in: > > /usr/heimdal/include/heimbase.h > /usr/heimdal/include/krb5-types.h > /usr/heimdal/include/krb5-protos.h > /usr/heimdal/include/krb5_asn1.h > /usr/heimdal/include/krb5_ccapi.h > /usr/heimdal/include/heim_err.h > /usr/heimdal/include/heimntlm-protos.h > /usr/heimdal/include/heimntlm.h > /usr/heimdal/include/gssapi/gkrb5_err.h > /usr/heimdal/include/gssapi/gssapi_krb5.h > /usr/heimdal/include/heim-ipc.h > /usr/heimdal/include/krb5_err.h > /usr/heimdal/include/heim_asn1.h > /usr/heimdal/include/krb5.h > > I'd like to try using the Heimdal that came with Samba4. I can point the library > DIR to /usr/lib64, but what about the headers? Do the Samba4/Heimdal headers > look like what I need for the build? > > If that's not going to work, I'll try building against the new Heimdal install. > In this case, what would my =<DIR> be? /usr/heimdal ? > > THX --Mark
