GSSAPI vs group check

[Németh Ákos Ferenc]

Dear All,


Is it possible to make any authorization (eg. checking of group 
membership) in case of GSSAPI authentication?


Our dovecot authenticates the users against PAM and GSSAPI. In the PAM 
file I'm able to check if a user is a member of a selected (e.g 
mailreader) group. If the user is member, he can login otherwise not 
(see below). If the user has a valid Kerberos ticket and he tries to 
login via GSSAPI, I can't restrict him if he is not a member of the 
selected group.


How can I overcome this issue?


My config:

passdb {
   driver = pam
   # [session=yes] [setcred=yes] [failure_show_msg=yes] [max_requests=<n>]
   # [cache_key=<key>] [<service name>]
   #args = dovecot
}

userdb {
   # <doc/wiki/AuthDatabase.Passwd.txt>
   driver = passwd
   # [blocking=no]
   #args =

   # Override fields from passwd
   #override_fields = home=/home/virtual/%u
}


...in PAM file:

auth    [success=1 default=ignore]      pam_succeed_if.so user ingroup 
mailreader

auth    [success=ignore default=2]      pam_succeed_if.so user ingroup 
admins
auth    [success=ignore default=1]      pam_succeed_if.so uid >= 1000
auth    [success=3 default=ignore]      pam_winbind.so krb5_auth 
krb5_ccache_type=FILE cached_login

auth    [success=ignore default=1]      pam_succeed_if.so uid < 1000
auth    [success=1 default=ignore]      pam_unix.so nullok_secure 
try_first_pass

auth    requisite                       pam_deny.so

auth    required                        pam_permit.so


Thank you.


Br,
Ákos