GSSAPI vs group check

Németh Ákos Ferenc nemethakos at
Fri Jun 1 14:55:29 EEST 2018

Dear All,

Is it possible to make any authorization (eg. checking of group 
membership) in case of GSSAPI authentication?

Our dovecot authenticates the users against PAM and GSSAPI. In the PAM 
file I'm able to check if a user is a member of a selected (e.g 
mailreader) group. If the user is member, he can login otherwise not 
(see below). If the user has a valid Kerberos ticket and he tries to 
login via GSSAPI, I can't restrict him if he is not a member of the 
selected group.

How can I overcome this issue?

My config:

passdb {
   driver = pam
   # [session=yes] [setcred=yes] [failure_show_msg=yes] [max_requests=<n>]
   # [cache_key=<key>] [<service name>]
   #args = dovecot

userdb {
   # <doc/wiki/AuthDatabase.Passwd.txt>
   driver = passwd
   # [blocking=no]
   #args =

   # Override fields from passwd
   #override_fields = home=/home/virtual/%u
} PAM file:

auth    [success=1 default=ignore] user ingroup 

auth    [success=ignore default=2] user ingroup 
auth    [success=ignore default=1] uid >= 1000
auth    [success=3 default=ignore] krb5_auth 
krb5_ccache_type=FILE cached_login

auth    [success=ignore default=1] uid < 1000
auth    [success=1 default=ignore] nullok_secure 

auth    requisite             

auth    required              

Thank you.


More information about the dovecot mailing list