GSSAPI and usernames, not Kerberos ticket names

Dmitry Donskih dmitry.donskih at gmail.com
Sat Mar 9 22:15:25 EET 2019 

Hi all,

I've got a Dovecot v2.3.3 IMAP with GSSAPI auth set up.
This server is in main domain, 'contoso.com'. I also have several
subdomains.

My problem is usernames with GSSAPI authentication:

When I try to login as 'user' or as 'user at CONTOSO.COM' - everything
works. But, 'user at contoso.com' auth fails.
But when I try to login as subdomain user, 'user2' - it fails to login.
'user2 at sub.contoso.com' fails also.
However, 'user2 at SUB.CONTOSO.COM' works ok.

It looks like PAM uses domain part of login as Kerberos realm name,
regardless of Kerberos domain-realm mapping. Also, if domain part is not
specified, PAM (Kerberos?) fails to determine non-default realm.

What am I missing?
Is there a way to use traditional 'user at domain' login names with
PAM/GSSAPI, instead of Kerberos ticket names?
Or maybe to tell PAM module to convert domain part of username to
uppercase before using?

Thanks on any help or advice.

===== dovecot.conf: =====
auth_mechanisms = gssapi plain login external
auth_gssapi_hostname = "$ALL"
auth_krb5_keytab = /etc/krb5.keytab
auth_default_realm =
passdb {
  driver = pam
  args = cache_key=%d%r%n failure_show_msg=yes dovecot
}
userdb {
    driver = static
    args = uid=502 gid=502
home=/var/vmail/%L{auth_domain}/%L{auth_username}
mail=maildir:/var/vmail/%L{auth_domain}/%L{auth_username}/Maildir
allow_all_users=yes
}
=====

===== pam.d/dovecot: =====
auth        sufficient    pam_krb5.so use_first_pass
account     [default=bad success=ok user_unknown=ignore] pam_krb5.so
password    sufficient    pam_krb5.so use_authtok
session     optional      pam_krb5.so
=====

===== krb5.conf: =====
[libdefaults]
default_realm = CONTOSO.COM
dns_lookup_realm = true
dns_lookup_kdc = true
[realms]
CONTOSO.COM = {
    kdc = dc.contoso.com:88
    admin_server = dc.contoso.com:749
}

[domain_realm]
contoso.com = CONTOSO.COM
.contoso.com = CONTOSO.COM
sub.contoso.com = CONTOSO.COM
.sub.contoso.com = CONTOSO.COM
SUB.CONTOSO.COM = CONTOSO.COM
.SUB.CONTOSO.COM = CONTOSO.COM

[appdefaults]
pam = {
    ticket_lifetime = 36000
    renew_lifetime = 36000
    forwardable = true
    krb4_convert = false
}

===== klist server ====
Default principal: imap/mail2.contoso.com at CONTOSO.COM

===== klist client ====
Default principal: user2 at SUB.CONTOSO.COM


===== Logging in with user2 at SUB.CONTOSO.COM - OK: =====

 auth: Debug: client in: AUTH    1       GSSAPI  service=imap
secured=tls  session=....
 auth: Debug: gssapi(?,192.168.....,<MR1yvq6DftfAqAoP>): Using all
keytab entries
 auth: Debug: client passdb out: CONT    1
 auth: Debug: client in: CONT<hidden>
 auth: Debug:
gssapi(user2 at sub.contoso.com,192.168....,<MR1yvq6DftfAqAoP>): security
context state completed.
 auth: Debug: client passdb out: CONT    1       YIGVB....
 auth: Debug: client in: CONT<hidden>
 auth: Debug:
gssapi(user2 at sub.contoso.com,192.168.....,<MR1yvq6DftfAqAoP>):
Negotiated security layer
 auth: Debug: client passdb out: CONT    1       BQQF/.....
 auth: Debug: client in: CONT<hidden>
 auth: Debug:
pam(user2 at sub.contoso.com,192.168.....,<MR1yvq6DftfAqAoP>): passdb
doesn't support credential lookups
 auth: Debug:
gssapi(user2 at sub.contoso.com,192.168.....,<MR1yvq6DftfAqAoP>): skipping
passdb: mechanism filtered
 auth: Debug: client passdb out: OK      1
user=user2 at sub.contoso.com        original_user=user2 at SUB.CONTOSO.COM


===== Logging in with user2 at sub.contoso.com - FAIL: =====

 auth: Debug: client in: AUTH    1       GSSAPI  service=imap
secured=tls   session=...
 auth: Debug: gssapi(?,192.168....,<Hgh4zq6DhNfAqAoP>): Using all keytab
entries
 auth: Debug: client passdb out: CONT    1
 auth: Debug: client in: CONT<hidden>
 auth: Debug:
gssapi(user2 at sub.contoso.com,192.168....,<Hgh4zq6DhNfAqAoP>): security
context state completed.
 auth: Debug: client passdb out: CONT    1       YIGVB.....
 auth: Debug: client in: CONT<hidden>
 auth: Debug:
gssapi(user2 at sub.contoso.com,192.168....,<Hgh4zq6DhNfAqAoP>): Negotiated
security layer
 auth: Debug: client passdb out: CONT    1       BQQF/.....
 auth: Debug: client in: CONT<hidden>
 auth: Debug:
pam(user2 at sub.contoso.com,192.168.....,<Hgh4zq6DhNfAqAoP>): passdb
doesn't support credential lookups
 auth: Debug:
gssapi(user2 at sub.contoso.com,192.168.....,<Hgh4zq6DhNfAqAoP>): skipping
passdb: mechanism filtered
 auth: Debug: client passdb out: FAIL    1
user=user2 at sub.contoso.com        original_user=user2 at SUB.CONTOSO.COM

More information about the dovecot mailing list