Hi. Is it possible to use GSSAPI authentication and deny passdb
together? Seems it doesn't work as I expect: GSSAPI doesn't check deny
passdb, so I'm not able to restrict access to GSSAPI-users.
I can see these in logs when user tries to connect with PLAIN
authentication (via pam_krb5):
Oct 4 11:14:31 vm03 auth: Debug: passwd-file(testuser,172.17.0.123):
lookup: user=testuser file=/etc/dovecot/auth.d/.passwd-deny
Oct 4 11:14:31 vm03 dovecot: auth: passdb(tesetuser,172.17.0.123): User
found from deny passdb
But that's what I see if user logs in with GSSAPI:
...
Oct 4 11:21:38 vm03 dovecot: auth: Debug:
gssapi(testuser at REALM.LAN,172.17.0.123): Negotiated security layer
Oct 4 11:21:38 vm03 dovecot: auth: Debug: client out:
CONT#0111#011BQQF/wAMAAAAAAAAKSUwaQH///+3JRmZMw01WMX+CHMOct 4 11:21:38 vm03
dovecot: auth: Debug: client in: CONT<hidden>
Oct 4 11:21:38 vm03 dovecot: auth: Debug: client out:
OK#0111#011user=testuser
Oct 4 11:21:38 vm03 dovecot: auth: Debug:
passwd-file(testuser,172.17.0.123): lookup: user=testuser
file=/etc/dovecot/auth.d/.passwd-ldap
Oct 4 11:21:38 vm03 dovecot: auth: Debug: master out:
USER#0111632763905#011testuser#011home=/var/mail/realm.lan/testuser
Oct 4 11:21:38 vm03 dovecot: imap-login: Login: user=<testuser>,
method=GSSAPI, rip=172.17.0.123, lip=172.25.0.35, mpid=1085
Here is my auth configuration:
auth_mechanisms = plain login apop gssapi
# Kerberos
auth_realms = REALM.LAN
auth_gssapi_hostname = vm03.realm.lan
auth_krb5_keytab = /etc/dovecot/dovecot.keytab
######
# PASSDB
# Denied users
passdb {
driver = passwd-file
deny = yes
args = username_format=%n /etc/dovecot/auth.d/%d.passwd-deny
}
# Internal manual passwd-file
passdb {
driver = passwd-file
args = scheme=CRAM-MD5 username_format=%n /etc/dovecot/auth.d/%d.passwd
# override_fields = allow_nets=127.0.0.0/8,172.16.0.0/12
}
# External passwd-file
passdb {
driver = passwd-file
args = scheme=CRAM-MD5 username_format=%n
/etc/dovecot/auth.d/%d.passwd-ext
}
# Internal kerberos pam
passdb {
driver = pam
args = max_requests=100 cache_key=%u%r dovecot
# override_fields = allow_nets=127.0.0.0/8,172.16.0.0/12
}
######
#USERDB
# Manual passwd-file
userdb {
driver = passwd-file
args = username_format=%n /etc/dovecot/auth.d/%d.passwd
# default_fields = home=/var/mail/%d/%n
}
# External passwd-file
userdb {
driver = passwd-file
args = username_format=%n /etc/dovecot/auth.d/%d.passwd-ext
# default_fields = home=/var/mail/%d/%n
}
# Automatic passwd-file, imported from LDAP. UserDB only
userdb {
driver = passwd-file
args = username_format=%n /etc/dovecot/auth.d/%d.passwd-ldap
# default_fields = home=/var/mail/%d/%n
}
### END ####
/etc/dovecot/auth.d/realm.lan.passwd-ldap:
testuser:::::/var/mail/realm.lan/testuser::
testuser2:::::/var/mail/realm.lan/testuser::
...
/etc/dovecot/auth.d/realm.lan.passwd-deny:
testuser
/etc/dovecot/auth.d/realm.lan.passwd* are symlinked to
/etc/dovecot/auth.d/.passwd*
to allow users without domain part (auth_default_realm doesnt work with pam)
I know that in my case I can just exclude denied users from .passwd-ldap
file, and even use .passwd-deny as filter file:) But problem exists and
should be solved, I think.
Thanks.
--
Best regards,
Sergey Urushkin