[Dovecot] can't deliver with Kerberos username
I've been trying to use Kerberos and PLAIN text file for authentication. I've setup deliver in postfix master.cf and make sure correct username are expanded but deliver is always told me "user unknown". I can logon into mailbox using Kerberos w/o problems and can send emails. Looks like Dovecot lookup up passwd files and not finding users which are in Kerberos realm.
# 1.0.15: /etc/dovecot/dovecot.conf log_path: /var/log/dovecot.log protocols: imap ssl_cert_file: /etc/postfix/new_chained.crt ssl_key_file: /etc/postfix/mail.pem login_dir: /var/run/dovecot/login login_executable: /usr/lib/dovecot/imap-login login_greeting_capability: yes mail_location: maildir:/var/mail/store/%u dotlock_use_excl: yes maildir_copy_with_hardlinks: yes auth default: mechanisms: PLAIN CRAM-MD5 GSSAPI passdb: driver: passwd-file args: /etc/dovecot/passwd userdb: driver: static args: uid=vmail gid=vmail home=/var/mail/store/%u socket: type: listen client: path: /var/spool/postfix/private/auth mode: 432 user: postfix group: postfix master: path: /var/run/dovecot/auth-master mode: 438 user: root group: root plugin: sieve: /var/mail/store/%u/sieve
On 8/14/2009, Nikolay Shopik (shopik@inblock.ru) wrote:
I've been trying to use Kerberos and PLAIN text file for authentication. I've setup deliver in postfix master.cf and make sure correct username are expanded but deliver is always told me "user unknown".
It is best to provide full logs, instead of trying to paraphrase or interprewhat they are saying...
# 1.0.15: /etc/dovecot/dovecot.conf
This is old... updating to latest stable (1.2.3) might fix your problem.
--
Best regards,
Charles
On 14.08.2009 23:15, Charles Marcus wrote:
On 8/14/2009, Nikolay Shopik (shopik@inblock.ru) wrote:
I've been trying to use Kerberos and PLAIN text file for authentication. I've setup deliver in postfix master.cf and make sure correct username are expanded but deliver is always told me "user unknown".
It is best to provide full logs, instead of trying to paraphrase or interprewhat they are saying... /etc/postfix/master.cf copy2sent unix - n n - - pipe flags=DRhu user=vmail:vmail argv=/usr/lib/dovecot/deliver -d ${sasl_username} -m Sent
pluto postfix/pipe[1693]: dict_eval: const /usr/lib/dovecot/deliver pluto postfix/pipe[1693]: dict_eval: const -d pluto postfix/pipe[1693]: dict_eval: expand ${sasl_username} -> nshopik pluto postfix/pipe[1693]: dict_eval: const -m pluto postfix/pipe[1693]: dict_eval: const Sent pluto postfix/pipe[1693]: 5609D1ADC002: to=bcc@bcc.foxtelecom.ru, relay=copy2sent, delay=0.04, delays=0.03/0/0/0.01, dsn=5.1.1, status=bounced (user unknown)
# 1.0.15: /etc/dovecot/dovecot.conf
This is old... updating to latest stable (1.2.3) might fix your problem.
Sure, but if its not broke didn't try to fix it :) It works for me like charm and its in debian latest stable.
On Fri, 2009-08-14 at 22:06 +0400, Nikolay Shopik wrote:
I've been trying to use Kerberos and PLAIN text file for authentication. I've setup deliver in postfix master.cf and make sure correct username are expanded but deliver is always told me "user unknown". I can logon into mailbox using Kerberos w/o problems and can send emails. Looks like Dovecot lookup up passwd files and not finding users which are in Kerberos realm.
passdb: driver: passwd-file args: /etc/dovecot/passwd
What do the usernames look like in this file? Set auth_debug=yes, what does deliver log then?
On 16.08.2009 4:29, Timo Sirainen wrote:
On Fri, 2009-08-14 at 22:06 +0400, Nikolay Shopik wrote:
I've been trying to use Kerberos and PLAIN text file for authentication. I've setup deliver in postfix master.cf and make sure correct username are expanded but deliver is always told me "user unknown". I can logon into mailbox using Kerberos w/o problems and can send emails. Looks like Dovecot lookup up passwd files and not finding users which are in Kerberos realm.
passdb: driver: passwd-file args: /etc/dovecot/passwdWhat do the usernames look like in this file? Set auth_debug=yes, what does deliver log then? Usernames are with domain - shopik@inblock.ru{PLAIN}password in file
15:34:31 Info: auth(default): client in: AUTH 1 GSSAPI service=IMAP lip=10.0.1.4 rip=1.1.107.157 15:34:31 Info: auth(default): gssapi(?,81.195.107.157): Obtaining credentials for imap@pluto 15:34:31 Info: auth(default): client out: CONT 1 15:34:31 Info: auth(default): client in: CONT<hidden> 15:34:31 Info: auth(default): gssapi(?,1.1.107.157): security context state completed. 15:34:31 Info: auth(default): client out: CONT 1 YIGCBgkqhkiG9xIBAgICAG9zMHGgAwIBBaEDAgEPomUwY6ADAgEXolwEWopE+RgkXAoy3StiEWS/b8J7060TbA+lNUzuY6tRtf3/cCPPbsnmaBbU8k2dlQ6MtNqL8XikW3tt25AK58x6yYKs6SH3ldkTlIBW36tJMplbdWgQqTSpY3ra6Q== 15:34:31 Info: auth(default): client in: CONT<hidden> 15:34:31 Info: auth(default): gssapi(?,1.1.107.157): Negotiated security layer 15:34:31 Info: auth(default): client out: CONT 1 YDAGCSqGSIb3EgECAgIBEQD/////LPILd/RXG1o5TsKWu3XbHKx0vgAAAAAAAf///wE= 15:34:31 Info: auth(default): client in: CONT<hidden> 15:34:31 Info: auth(default): client out: OK 1 user=nshopik 15:34:31 Info: auth(default): master in: REQUEST 4 25904 1 15:34:31 Info: auth(default): master out: USER 4 nshopik uid=1001 gid=1001 home=/var/mail/store/nshopik 15:34:31 Info: imap-login: Login: user=<nshopik>, method=GSSAPI, rip=1.1.107.157, lip=10.0.1.4 15:34:31 Info: auth(default): new auth connection: pid=25910
On Aug 16, 2009, at 2:57 AM, Nikolay Shopik wrote:
passdb: driver: passwd-file args: /etc/dovecot/passwd
What do the usernames look like in this file? Set auth_debug=yes,
what does deliver log then? Usernames are with domain - shopik@inblock.ru{PLAIN}password in file
15:34:31 Info: auth(default): client out: OK 1 user=nshopik
OK, so in Kerberos your usernames don't have @domain, but in passwd- file they do. There are only two possible solutions:
a) Remove @domain from passwd-file (or maybe create with and without
@domain)
b) Add @domain to kerberos usernames.
I don't know much about Kerberos, so I've no idea what would be the
proper way to solve this.
On 16.08.2009 11:11, Timo Sirainen wrote:
On Aug 16, 2009, at 2:57 AM, Nikolay Shopik wrote:
passdb: driver: passwd-file args: /etc/dovecot/passwd
What do the usernames look like in this file? Set auth_debug=yes, what does deliver log then? Usernames are with domain - shopik@inblock.ru{PLAIN}password in file
15:34:31 Info: auth(default): client out: OK 1 user=nshopik
OK, so in Kerberos your usernames don't have @domain, but in passwd-file they do. There are only two possible solutions:
a) Remove @domain from passwd-file (or maybe create with and without @domain)
b) Add @domain to kerberos usernames.
I don't know much about Kerberos, so I've no idea what would be the proper way to solve this.
A) This means I have to keep file with all username which are exist in Kerberos realm? This is little confusing because http://wiki.dovecot.org/Authentication/Kerberos says I may not have passdb at all. Also I don't wanna any password to be keeped for Kerberos users here.
On Aug 16, 2009, at 3:14 AM, Nikolay Shopik wrote:
I don't know much about Kerberos, so I've no idea what would be the proper way to solve this.
A) This means I have to keep file with all username which are exist
in Kerberos realm? This is little confusing because http://wiki.dovecot.org/Authentication/Kerberos says I may not have passdb at all. Also I don't wanna any password
to be keeped for Kerberos users here.
Right. It's not the passdb that deliver cares. It's the userdb. But
since you're using static userdb, deliver looks up the user's
existence from passdb. Of course if you already verify in your MTA
that all the users are valid, you can just add allow_all_users=yes to
static userdb args.
participants (3)
-
Charles Marcus
-
Nikolay Shopik
-
Timo Sirainen