André Rodier
2011-Mar-31 09:04 UTC
[Dovecot] How to grant a kerberos ticket after successful imap authentication from dovecot
Hello everybody,
I hope this question is appropriate for this list. Apologies if not.
I am running a set of virtual machines under debian 6, to build a
mail/collaboration server. I am mainly using dovecot, postfix, openldap
and heimdal. Mails are stored using maildir, on a NFSv4 share.
My users are system users, but using LDAP and libpam-ldap and
libnss-ldap for caching credentials information.
Everything is working as expected, well, /almost/.
Since NFS is using kerberos, by defaults, my users are not able to
access their mail storage if they have not received their kerberos ticket.
For instance, if I do nothing, this is the errors I have from dovecot
when trying to logon using any imap client:
Mar 31 09:33:07 titan dovecot: imap-login: Login: user=,
method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured
Mar 31 09:33:07 titan dovecot: dovecot: Fatal:
chdir(/home/emails/team/arodier/) failed: Permission denied
(euid=1003(arodier) egid=1001(red2team) missing +x perm: /home/emails)
Mar 31 09:33:07 titan dovecot: dovecot: child 5089 (imap) returned
error 89 (Fatal failure)
However, if I just login on a console for the user "/arodier/", I see
that I have received a ticket, and I can see it with klist:
Credentials cache: FILE:/tmp/krb5cc_1001_ywvktf
Principal: arodier at RED2.SRV
Issued Expires Principal
Mar 31 09:25:55 Mar 31 19:25:53 krbtgt/RED2.SRV at RED2.SRV
Mar 31 09:25:57 Mar 31 19:25:53 nfs/ananke.red2.srv at RED2.SRV
Once I have simply logged myself on a console, I can access my emails
using any IMAP client.
The question is:
How should I configure libpam (or dovecot ?) to initialise/receive a
kerberos ticket after successful authentication ?
Thanks for your answers.
Timo Sirainen
2011-Mar-31 09:50 UTC
[Dovecot] How to grant a kerberos ticket after successful imap authentication from dovecot
On 31.3.2011, at 12.04, Andr? Rodier wrote:> How should I configure libpam (or dovecot ?) to initialise/receive a kerberos ticket after successful authentication ?I doubt this is possible. At least not directly via PAM authentication, because in Dovecot the authentication is done by a separate authentication process. You could possibly use http://untroubled.org/mailfront/imapfront.html with Dovecot's imap binary.