[Dovecot] GSSAPI and deny=yes passdb
Hi. Is it possible to use GSSAPI authentication and deny passdb together? Seems it doesn't work as I expect: GSSAPI doesn't check deny passdb, so I'm not able to restrict access to GSSAPI-users.
I can see these in logs when user tries to connect with PLAIN authentication (via pam_krb5): Oct 4 11:14:31 vm03 auth: Debug: passwd-file(testuser,172.17.0.123): lookup: user=testuser file=/etc/dovecot/auth.d/.passwd-deny Oct 4 11:14:31 vm03 dovecot: auth: passdb(tesetuser,172.17.0.123): User found from deny passdb
But that's what I see if user logs in with GSSAPI: ... Oct 4 11:21:38 vm03 dovecot: auth: Debug: gssapi(testuser@REALM.LAN,172.17.0.123): Negotiated security layer Oct 4 11:21:38 vm03 dovecot: auth: Debug: client out: CONT#0111#011BQQF/wAMAAAAAAAAKSUwaQH///+3JRmZMw01WMX+CHM= Oct 4 11:21:38 vm03 dovecot: auth: Debug: client in: CONT<hidden> Oct 4 11:21:38 vm03 dovecot: auth: Debug: client out: OK#0111#011user=testuser Oct 4 11:21:38 vm03 dovecot: auth: Debug: passwd-file(testuser,172.17.0.123): lookup: user=testuser file=/etc/dovecot/auth.d/.passwd-ldap Oct 4 11:21:38 vm03 dovecot: auth: Debug: master out: USER#0111632763905#011testuser#011home=/var/mail/realm.lan/testuser Oct 4 11:21:38 vm03 dovecot: imap-login: Login: user=<testuser>, method=GSSAPI, rip=172.17.0.123, lip=172.25.0.35, mpid=1085
Here is my auth configuration:
auth_mechanisms = plain login apop gssapi
# Kerberos auth_realms = REALM.LAN auth_gssapi_hostname = vm03.realm.lan auth_krb5_keytab = /etc/dovecot/dovecot.keytab
###### # PASSDB
# Denied users passdb { driver = passwd-file deny = yes args = username_format=%n /etc/dovecot/auth.d/%d.passwd-deny }
# Internal manual passwd-file passdb { driver = passwd-file args = scheme=CRAM-MD5 username_format=%n /etc/dovecot/auth.d/%d.passwd # override_fields = allow_nets=127.0.0.0/8,172.16.0.0/12 }
# External passwd-file passdb { driver = passwd-file args = scheme=CRAM-MD5 username_format=%n /etc/dovecot/auth.d/%d.passwd-ext }
# Internal kerberos pam passdb { driver = pam args = max_requests=100 cache_key=%u%r dovecot # override_fields = allow_nets=127.0.0.0/8,172.16.0.0/12 }
###### #USERDB
# Manual passwd-file userdb { driver = passwd-file args = username_format=%n /etc/dovecot/auth.d/%d.passwd # default_fields = home=/var/mail/%d/%n }
# External passwd-file userdb { driver = passwd-file args = username_format=%n /etc/dovecot/auth.d/%d.passwd-ext # default_fields = home=/var/mail/%d/%n }
# Automatic passwd-file, imported from LDAP. UserDB only userdb { driver = passwd-file args = username_format=%n /etc/dovecot/auth.d/%d.passwd-ldap # default_fields = home=/var/mail/%d/%n }
### END #### /etc/dovecot/auth.d/realm.lan.passwd-ldap: testuser:::::/var/mail/realm.lan/testuser:: testuser2:::::/var/mail/realm.lan/testuser:: ...
/etc/dovecot/auth.d/realm.lan.passwd-deny: testuser
/etc/dovecot/auth.d/realm.lan.passwd* are symlinked to /etc/dovecot/auth.d/.passwd* to allow users without domain part (auth_default_realm doesnt work with pam)
I know that in my case I can just exclude denied users from .passwd-ldap file, and even use .passwd-deny as filter file:) But problem exists and should be solved, I think.
Thanks.
-- Best regards, Sergey Urushkin
Noone has an idea?
# dovecot --version 2.0.15
04.10.2011 13:01, Sergey Urushkin пишет:
Hi. Is it possible to use GSSAPI authentication and deny passdb together? Seems it doesn't work as I expect: GSSAPI doesn't check deny passdb, so I'm not able to restrict access to GSSAPI-users.
...
-- Best regards, Sergey Urushkin
On Tue, 2011-10-04 at 13:01 +0400, Sergey Urushkin wrote:
Hi. Is it possible to use GSSAPI authentication and deny passdb together? Seems it doesn't work as I expect: GSSAPI doesn't check deny passdb, so I'm not able to restrict access to GSSAPI-users.
GSSAPI doesn't use any passdbs, so it doesn't work. It would be nice to change this some day (so e.g. proxying would also be possible with GSSAPI auth), but for now it's a rather low priority for me.
participants (2)
-
Sergey Urushkin
-
Timo Sirainen