Hello everybody,
I hope this question is appropriate for this list. Apologies if not.
I am running a set of virtual machines under debian 6, to build a mail/collaboration server. I am mainly using dovecot, postfix, openldap and heimdal. Mails are stored using maildir, on a NFSv4 share.
My users are system users, but using LDAP and libpam-ldap and libnss-ldap for caching credentials information.
Everything is working as expected, well, /almost/.
Since NFS is using kerberos, by defaults, my users are not able to access their mail storage if they have not received their kerberos ticket.
For instance, if I do nothing, this is the errors I have from dovecot when trying to logon using any imap client:
Mar 31 09:33:07 titan dovecot: imap-login: Login: user=,
method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured
Mar 31 09:33:07 titan dovecot: dovecot: Fatal:
chdir(/home/emails/team/arodier/) failed: Permission denied
(euid=1003(arodier) egid=1001(red2team) missing +x perm: /home/emails)
Mar 31 09:33:07 titan dovecot: dovecot: child 5089 (imap) returned
error 89 (Fatal failure)However, if I just login on a console for the user "/arodier/", I see that I have received a ticket, and I can see it with klist:
Credentials cache: FILE:/tmp/krb5cc_1001_ywvktf
Principal: arodier@RED2.SRV
Issued Expires Principal
Mar 31 09:25:55 Mar 31 19:25:53 krbtgt/RED2.SRV@RED2.SRV
Mar 31 09:25:57 Mar 31 19:25:53 nfs/ananke.red2.srv@RED2.SRVOnce I have simply logged myself on a console, I can access my emails using any IMAP client.
The question is: How should I configure libpam (or dovecot ?) to initialise/receive a kerberos ticket after successful authentication ?
Thanks for your answers.