[Dovecot] GSSAPI and deny=yes passdb

Sergey Urushkin urushkin at telros.ru
Tue Oct 4 12:01:36 EEST 2011 

Hi. Is it possible to use GSSAPI authentication and deny passdb
together? Seems it doesn't work as I expect: GSSAPI doesn't check deny
passdb, so I'm not able to restrict access to GSSAPI-users.

I can see these in logs when user tries to connect with PLAIN
authentication (via pam_krb5):
Oct  4 11:14:31 vm03 auth: Debug: passwd-file(testuser,172.17.0.123):
lookup: user=testuser file=/etc/dovecot/auth.d/.passwd-deny
Oct  4 11:14:31 vm03 dovecot: auth: passdb(tesetuser,172.17.0.123): User
found from deny passdb

But that's what I see if user logs in with GSSAPI:
...
Oct  4 11:21:38 vm03 dovecot: auth: Debug:
gssapi(testuser at REALM.LAN,172.17.0.123): Negotiated security layer
Oct  4 11:21:38 vm03 dovecot: auth: Debug: client out:
CONT#0111#011BQQF/wAMAAAAAAAAKSUwaQH///+3JRmZMw01WMX+CHM=
Oct  4 11:21:38 vm03 dovecot: auth: Debug: client in: CONT<hidden>
Oct  4 11:21:38 vm03 dovecot: auth: Debug: client out:
OK#0111#011user=testuser
Oct  4 11:21:38 vm03 dovecot: auth: Debug:
passwd-file(testuser,172.17.0.123): lookup: user=testuser
file=/etc/dovecot/auth.d/.passwd-ldap
Oct  4 11:21:38 vm03 dovecot: auth: Debug: master out:
USER#0111632763905#011testuser#011home=/var/mail/realm.lan/testuser
Oct  4 11:21:38 vm03 dovecot: imap-login: Login: user=<testuser>,
method=GSSAPI, rip=172.17.0.123, lip=172.25.0.35, mpid=1085

Here is my auth configuration:

auth_mechanisms = plain login apop gssapi

# Kerberos
auth_realms = REALM.LAN
auth_gssapi_hostname = vm03.realm.lan
auth_krb5_keytab = /etc/dovecot/dovecot.keytab

######
# PASSDB

# Denied users
passdb {
  driver = passwd-file
  deny = yes
  args = username_format=%n /etc/dovecot/auth.d/%d.passwd-deny
}

# Internal manual passwd-file
passdb {
  driver = passwd-file
  args = scheme=CRAM-MD5 username_format=%n /etc/dovecot/auth.d/%d.passwd
#  override_fields = allow_nets=127.0.0.0/8,172.16.0.0/12
}

# External passwd-file
passdb {
  driver = passwd-file
  args = scheme=CRAM-MD5 username_format=%n
/etc/dovecot/auth.d/%d.passwd-ext
}

# Internal kerberos pam
passdb {
  driver = pam
  args = max_requests=100 cache_key=%u%r dovecot
#  override_fields = allow_nets=127.0.0.0/8,172.16.0.0/12
}

######
#USERDB

# Manual passwd-file
userdb {
  driver = passwd-file
  args = username_format=%n /etc/dovecot/auth.d/%d.passwd
#  default_fields = home=/var/mail/%d/%n
}

# External passwd-file
userdb {
  driver = passwd-file
  args = username_format=%n /etc/dovecot/auth.d/%d.passwd-ext
#  default_fields = home=/var/mail/%d/%n
}

# Automatic passwd-file, imported from LDAP. UserDB only
userdb {
  driver = passwd-file
  args = username_format=%n /etc/dovecot/auth.d/%d.passwd-ldap
#  default_fields = home=/var/mail/%d/%n
}

### END ####
/etc/dovecot/auth.d/realm.lan.passwd-ldap:
testuser:::::/var/mail/realm.lan/testuser::
testuser2:::::/var/mail/realm.lan/testuser::
...

/etc/dovecot/auth.d/realm.lan.passwd-deny:
testuser

/etc/dovecot/auth.d/realm.lan.passwd* are symlinked to
/etc/dovecot/auth.d/.passwd*
to allow users without domain part (auth_default_realm doesnt work with pam)

I know that in my case I can just exclude denied users from .passwd-ldap
file, and even use .passwd-deny as filter file:) But problem exists and
should be solved, I think.

Thanks.

-- 
Best regards,
Sergey Urushkin

More information about the dovecot mailing list