GSSAPI vs group check

Németh Ákos Ferenc nemethakos at f-labor.mkt.bme.hu
Fri Jun 1 14:55:29 EEST 2018


Dear All,


Is it possible to make any authorization (eg. checking of group 
membership) in case of GSSAPI authentication?


Our dovecot authenticates the users against PAM and GSSAPI. In the PAM 
file I'm able to check if a user is a member of a selected (e.g 
mailreader) group. If the user is member, he can login otherwise not 
(see below). If the user has a valid Kerberos ticket and he tries to 
login via GSSAPI, I can't restrict him if he is not a member of the 
selected group.


How can I overcome this issue?


My config:

passdb {
   driver = pam
   # [session=yes] [setcred=yes] [failure_show_msg=yes] [max_requests=<n>]
   # [cache_key=<key>] [<service name>]
   #args = dovecot
}

userdb {
   # <doc/wiki/AuthDatabase.Passwd.txt>
   driver = passwd
   # [blocking=no]
   #args =

   # Override fields from passwd
   #override_fields = home=/home/virtual/%u
}


...in PAM file:

auth    [success=1 default=ignore]      pam_succeed_if.so user ingroup 
mailreader

auth    [success=ignore default=2]      pam_succeed_if.so user ingroup 
admins
auth    [success=ignore default=1]      pam_succeed_if.so uid >= 1000
auth    [success=3 default=ignore]      pam_winbind.so krb5_auth 
krb5_ccache_type=FILE cached_login

auth    [success=ignore default=1]      pam_succeed_if.so uid < 1000
auth    [success=1 default=ignore]      pam_unix.so nullok_secure 
try_first_pass

auth    requisite                       pam_deny.so

auth    required                        pam_permit.so


Thank you.


Br,
Ákos



More information about the dovecot mailing list