[Dovecot] How to grant a kerberos ticket after successful imap authentication from dovecot
Hello everybody,
I hope this question is appropriate for this list. Apologies if not.
I am running a set of virtual machines under debian 6, to build a mail/collaboration server. I am mainly using dovecot, postfix, openldap and heimdal. Mails are stored using maildir, on a NFSv4 share.
My users are system users, but using LDAP and libpam-ldap and libnss-ldap for caching credentials information.
Everything is working as expected, well, /almost/.
Since NFS is using kerberos, by defaults, my users are not able to access their mail storage if they have not received their kerberos ticket.
For instance, if I do nothing, this is the errors I have from dovecot when trying to logon using any imap client:
Mar 31 09:33:07 titan dovecot: imap-login: Login: user=,
method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured
Mar 31 09:33:07 titan dovecot: dovecot: Fatal:
chdir(/home/emails/team/arodier/) failed: Permission denied
(euid=1003(arodier) egid=1001(red2team) missing +x perm: /home/emails)
Mar 31 09:33:07 titan dovecot: dovecot: child 5089 (imap) returned
error 89 (Fatal failure)However, if I just login on a console for the user "/arodier/", I see that I have received a ticket, and I can see it with klist:
Credentials cache: FILE:/tmp/krb5cc_1001_ywvktf
Principal: arodier@RED2.SRV
Issued Expires Principal
Mar 31 09:25:55 Mar 31 19:25:53 krbtgt/RED2.SRV@RED2.SRV
Mar 31 09:25:57 Mar 31 19:25:53 nfs/ananke.red2.srv@RED2.SRVOnce I have simply logged myself on a console, I can access my emails using any IMAP client.
The question is: How should I configure libpam (or dovecot ?) to initialise/receive a kerberos ticket after successful authentication ?
Thanks for your answers.
On 31.3.2011, at 12.04, André Rodier wrote:
How should I configure libpam (or dovecot ?) to initialise/receive a kerberos ticket after successful authentication ?
I doubt this is possible. At least not directly via PAM authentication, because in Dovecot the authentication is done by a separate authentication process. You could possibly use http://untroubled.org/mailfront/imapfront.html with Dovecot's imap binary.
Thanks, Timo.
So, other questions:
* Can I use a post login script to try to initialise the kerberos
ticket ?
* Can I write a dovecot plugin in C/C++ to do that, and in this case ?
* If I use a plugin or a script, do I have access to the username /
password ?
* If I use a plugin, where can I found a skeleton ?Kind regards,
André Rodier.
On 31/03/2011 10:50, Timo Sirainen wrote:
On 31.3.2011, at 12.04, André Rodier wrote:
How should I configure libpam (or dovecot ?) to initialise/receive a kerberos ticket after successful authentication ? I doubt this is possible. At least not directly via PAM authentication, because in Dovecot the authentication is done by a separate authentication process. You could possibly use http://untroubled.org/mailfront/imapfront.html with Dovecot's imap binary.
--
/André Rodier/ r e d 2 The red2 Group of companies; red2, red2 Services and red2 Agency 34-35 Eastcastle Street, London W1W 8DW www.red2.co.uk http://www.red2.co.uk/ | andre.rodier@red2.co.uk mailto:andre.rodier@red2.co.uk
(+44) 0203 397 0594 direct (+44) 0751 124 4961 mobile
On 31.3.2011, at 17.32, André Rodier wrote:
Thanks, Timo.
So, other questions:
- Can I use a post login script to try to initialise the kerberos ticket ?
With v1.x yes, with v2.x no (because in v2.x it's again in a separate process to allow support for multiple clients per process).
- Can I write a dovecot plugin in C/C++ to do that, and in this case ?
Yes.
- If I use a plugin or a script, do I have access to the username / password ?
Username yes, password no. I guess you could modify Dovecot code so PAM code saves the password and passes it to mail process.
- If I use a plugin, where can I found a skeleton ?
v1.x or v2.x? v1.x is really simple, v2.x needs more work.
How are mails delivered then anyway? Doesn't that process also need some kerberos ticket?
On 31/03/2011 15:37, Timo Sirainen wrote:
On 31.3.2011, at 17.32, André Rodier wrote:
Thanks, Timo.
So, other questions:
- Can I use a post login script to try to initialise the kerberos ticket ?
With v1.x yes, with v2.x no (because in v2.x it's again in a separate process to allow support for multiple clients per process).
- Can I write a dovecot plugin in C/C++ to do that, and in this case ?
Yes.
- If I use a plugin or a script, do I have access to the username / password ?
Username yes, password no. I guess you could modify Dovecot code so PAM code saves the password and passes it to mail process.
- If I use a plugin, where can I found a skeleton ?
v1.x or v2.x? v1.x is really simple, v2.x needs more work.
How are mails delivered then anyway? Doesn't that process also need some kerberos ticket?
Hello Timo,
You were right. Since I have switched to MFSv4/Kerberos, I started by testing the mail access before the delivery.
Testing just now the dovecot deliver script fail as well... I probably have to use another method to obtain the ticket.
I can also try to use a virtual user for the whole mail storage... If I found a solution, I'll post it on this list.
I use dovecot 1.2, included by default on Debian squeeze.
Kind regards. André Rodier.
participants (2)
-
André Rodier
-
Timo Sirainen