564784 - GSSAPI/Kerberos uses hostname instead of realhostname for service ticket.

Status: RESOLVED DUPLICATE of bug 530319

(Thunderbird :: Account Manager, defect)

Description

[melson]

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.9) Gecko/20100501 Iceweasel/3.5.9 (like Firefox/3.5.9)
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.10) Gecko/20100510 Shredder/3.0.5pre

Looks like when you try and do GSSAPI authentication it will use the value of:

user_pref("mail.server.server1.hostname")

over

user_pref("mail.server.server1.realhostname")

for requesting the proper service ticket.  This will result in a failure of GSSAPI auth if the hostname does not match the hostname of the kerberos-enabled server.

Switching value of hostname to match that of the server you are trying to connect to results in success. 



Reproducible: Always

Steps to Reproduce:
1. Set up new account with a hostname different from your kerberos-enabled server (imap.wesleyan.edu from auto configuration for example)
2. Go into Account Manager and change hostname to kerberos-enabled server (new-mailproxies.wesleyan.edu in my example).
3. Click on secure authentication and try and authenticate.
Actual Results:  
Failure to negotiate GSSAPI; wireshark shows that Thunderbird is asking for a service ticket for imap/imap.wesleyan.edu as opposed to imap/new-mailproxies.wesleyan.edu.

Expected Results:  
GSSAPI auth to succeed, specifically Thunderbird asks for and uses a ticket for the hostname specified in the Account Manager.

Also happens in the latest release for OS X, IceDove, and pretty much any thunderbird variant I've tested on.  It can lead to some difficulty in configuring Kerberos.