===== dovecot.conf: ===== auth_mechanisms = gssapi plain login external auth_gssapi_hostname = "$ALL" auth_krb5_keytab = /etc/krb5.keytab auth_default_realm = passdb { driver = pam args = cache_key=%d%r%n failure_show_msg=yes dovecot } userdb { driver = static args = uid=502 gid=502 home=/var/vmail/%L{auth_domain}/%L{auth_username} mail=maildir:/var/vmail/%L{auth_domain}/%L{auth_username}/Maildir allow_all_users=yes }

9 Mar 2019


      Hi all,
I've got a Dovecot v2.3.3 IMAP with GSSAPI auth set up.
This server is in main domain, 'contoso.com'. I also have several
subdomains.
My problem is usernames with GSSAPI authentication:
When I try to login as 'user' or as 'user@CONTOSO.COM' - everything
works. But, 'user@contoso.com' auth fails.
But when I try to login as subdomain user, 'user2' - it fails to login.
'user2@sub.contoso.com' fails also.
However, 'user2@SUB.CONTOSO.COM' works ok.
It looks like PAM uses domain part of login as Kerberos realm name,
regardless of Kerberos domain-realm mapping. Also, if domain part is not
specified, PAM (Kerberos?) fails to determine non-default realm.
What am I missing?
Is there a way to use traditional 'user@domain' login names with
PAM/GSSAPI, instead of Kerberos ticket names?
Or maybe to tell PAM module to convert domain part of username to
uppercase before using?
Thanks on any help or advice.
===== dovecot.conf: =====
auth_mechanisms = gssapi plain login external
auth_gssapi_hostname = "$ALL"
auth_krb5_keytab = /etc/krb5.keytab
auth_default_realm =
passdb {
driver = pam
args = cache_key=%d%r%n failure_show_msg=yes dovecot
}
userdb {
driver = static
args = uid=502 gid=502
home=/var/vmail/%L{auth_domain}/%L{auth_username}
mail=maildir:/var/vmail/%L{auth_domain}/%L{auth_username}/Maildir
allow_all_users=yes
}
===== pam.d/dovecot: =====
auth        sufficient    pam_krb5.so use_first_pass
account     [default=bad success=ok user_unknown=ignore] pam_krb5.so
password    sufficient    pam_krb5.so use_authtok
session     optional      pam_krb5.so
===== krb5.conf: =====
[libdefaults]
default_realm = CONTOSO.COM
dns_lookup_realm = true
dns_lookup_kdc = true
[realms]
CONTOSO.COM = {
kdc = dc.contoso.com:88
admin_server = dc.contoso.com:749
}
[domain_realm]
contoso.com = CONTOSO.COM
.contoso.com = CONTOSO.COM
sub.contoso.com = CONTOSO.COM
.sub.contoso.com = CONTOSO.COM
SUB.CONTOSO.COM = CONTOSO.COM
.SUB.CONTOSO.COM = CONTOSO.COM
[appdefaults]
pam = {
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
===== klist server ====
Default principal: imap/mail2.contoso.com@CONTOSO.COM
===== klist client ====
Default principal: user2@SUB.CONTOSO.COM
===== Logging in with user2@SUB.CONTOSO.COM - OK: =====
auth: Debug: client in: AUTH    1       GSSAPI  service=imap
secured=tls  session=....
auth: Debug: gssapi(?,192.168.....,<MR1yvq6DftfAqAoP>): Using all
keytab entries
auth: Debug: client passdb out: CONT    1
auth: Debug: client in: CONT<hidden>
auth: Debug:
gssapi(user2@sub.contoso.com,192.168....,<MR1yvq6DftfAqAoP>): security
context state completed.
auth: Debug: client passdb out: CONT    1       YIGVB....
auth: Debug: client in: CONT<hidden>
auth: Debug:
gssapi(user2@sub.contoso.com,192.168.....,<MR1yvq6DftfAqAoP>):
Negotiated security layer
auth: Debug: client passdb out: CONT    1       BQQF/.....
auth: Debug: client in: CONT<hidden>
auth: Debug:
pam(user2@sub.contoso.com,192.168.....,<MR1yvq6DftfAqAoP>): passdb
doesn't support credential lookups
auth: Debug:
gssapi(user2@sub.contoso.com,192.168.....,<MR1yvq6DftfAqAoP>): skipping
passdb: mechanism filtered
auth: Debug: client passdb out: OK      1
user=user2@sub.contoso.com        original_user=user2@SUB.CONTOSO.COM
===== Logging in with user2@sub.contoso.com - FAIL: =====
auth: Debug: client in: AUTH    1       GSSAPI  service=imap
secured=tls   session=...
auth: Debug: gssapi(?,192.168....,<Hgh4zq6DhNfAqAoP>): Using all keytab
entries
auth: Debug: client passdb out: CONT    1
auth: Debug: client in: CONT<hidden>
auth: Debug:
gssapi(user2@sub.contoso.com,192.168....,<Hgh4zq6DhNfAqAoP>): security
context state completed.
auth: Debug: client passdb out: CONT    1       YIGVB.....
auth: Debug: client in: CONT<hidden>
auth: Debug:
gssapi(user2@sub.contoso.com,192.168....,<Hgh4zq6DhNfAqAoP>): Negotiated
security layer
auth: Debug: client passdb out: CONT    1       BQQF/.....
auth: Debug: client in: CONT<hidden>
auth: Debug:
pam(user2@sub.contoso.com,192.168.....,<Hgh4zq6DhNfAqAoP>): passdb
doesn't support credential lookups
auth: Debug:
gssapi(user2@sub.contoso.com,192.168.....,<Hgh4zq6DhNfAqAoP>): skipping
passdb: mechanism filtered
auth: Debug: client passdb out: FAIL    1
user=user2@sub.contoso.com        original_user=user2@SUB.CONTOSO.COM

GSSAPI and usernames, not Kerberos ticket names

Dmitry Donskih

===== pam.d/dovecot: ===== auth sufficient pam_krb5.so use_first_pass account [default=bad success=ok user_unknown=ignore] pam_krb5.so password sufficient pam_krb5.so use_authtok session optional pam_krb5.so

tags

participants (1)