Hi. Is it possible to use GSSAPI authentication and deny passdb together? Seems it doesn't work as I expect: GSSAPI doesn't check deny passdb, so I'm not able to restrict access to GSSAPI-users.
I can see these in logs when user tries to connect with PLAIN authentication (via pam_krb5): Oct 4 11:14:31 vm03 auth: Debug: passwd-file(testuser,172.17.0.123): lookup: user=testuser file=/etc/dovecot/auth.d/.passwd-deny Oct 4 11:14:31 vm03 dovecot: auth: passdb(tesetuser,172.17.0.123): User found from deny passdb
But that's what I see if user logs in with GSSAPI: ... Oct 4 11:21:38 vm03 dovecot: auth: Debug: gssapi(testuser@REALM.LAN,172.17.0.123): Negotiated security layer Oct 4 11:21:38 vm03 dovecot: auth: Debug: client out: CONT#0111#011BQQF/wAMAAAAAAAAKSUwaQH///+3JRmZMw01WMX+CHM= Oct 4 11:21:38 vm03 dovecot: auth: Debug: client in: CONT<hidden> Oct 4 11:21:38 vm03 dovecot: auth: Debug: client out: OK#0111#011user=testuser Oct 4 11:21:38 vm03 dovecot: auth: Debug: passwd-file(testuser,172.17.0.123): lookup: user=testuser file=/etc/dovecot/auth.d/.passwd-ldap Oct 4 11:21:38 vm03 dovecot: auth: Debug: master out: USER#0111632763905#011testuser#011home=/var/mail/realm.lan/testuser Oct 4 11:21:38 vm03 dovecot: imap-login: Login: user=<testuser>, method=GSSAPI, rip=172.17.0.123, lip=172.25.0.35, mpid=1085
Here is my auth configuration:
auth_mechanisms = plain login apop gssapi
# Kerberos auth_realms = REALM.LAN auth_gssapi_hostname = vm03.realm.lan auth_krb5_keytab = /etc/dovecot/dovecot.keytab
###### # PASSDB
# Denied users passdb { driver = passwd-file deny = yes args = username_format=%n /etc/dovecot/auth.d/%d.passwd-deny }
# Internal manual passwd-file passdb { driver = passwd-file args = scheme=CRAM-MD5 username_format=%n /etc/dovecot/auth.d/%d.passwd # override_fields = allow_nets=127.0.0.0/8,172.16.0.0/12 }
# External passwd-file passdb { driver = passwd-file args = scheme=CRAM-MD5 username_format=%n /etc/dovecot/auth.d/%d.passwd-ext }
# Internal kerberos pam passdb { driver = pam args = max_requests=100 cache_key=%u%r dovecot # override_fields = allow_nets=127.0.0.0/8,172.16.0.0/12 }
###### #USERDB
# Manual passwd-file userdb { driver = passwd-file args = username_format=%n /etc/dovecot/auth.d/%d.passwd # default_fields = home=/var/mail/%d/%n }
# External passwd-file userdb { driver = passwd-file args = username_format=%n /etc/dovecot/auth.d/%d.passwd-ext # default_fields = home=/var/mail/%d/%n }
# Automatic passwd-file, imported from LDAP. UserDB only userdb { driver = passwd-file args = username_format=%n /etc/dovecot/auth.d/%d.passwd-ldap # default_fields = home=/var/mail/%d/%n }
### END #### /etc/dovecot/auth.d/realm.lan.passwd-ldap: testuser:::::/var/mail/realm.lan/testuser:: testuser2:::::/var/mail/realm.lan/testuser:: ...
/etc/dovecot/auth.d/realm.lan.passwd-deny: testuser
/etc/dovecot/auth.d/realm.lan.passwd* are symlinked to /etc/dovecot/auth.d/.passwd* to allow users without domain part (auth_default_realm doesnt work with pam)
I know that in my case I can just exclude denied users from .passwd-ldap file, and even use .passwd-deny as filter file:) But problem exists and should be solved, I think.
Thanks.
-- Best regards, Sergey Urushkin