Hi all,
I've got a Dovecot v2.3.3 IMAP with GSSAPI auth set up.
This server is in main domain, 'contoso.com'. I also have several
subdomains.
My problem is usernames with GSSAPI authentication:
When I try to login as 'user' or as 'user at CONTOSO.COM' -
everything
works. But, 'user at contoso.com' auth fails.
But when I try to login as subdomain user, 'user2' - it fails to login.
'user2 at sub.contoso.com' fails also.
However, 'user2 at SUB.CONTOSO.COM' works ok.
It looks like PAM uses domain part of login as Kerberos realm name,
regardless of Kerberos domain-realm mapping. Also, if domain part is not
specified, PAM (Kerberos?) fails to determine non-default realm.
What am I missing?
Is there a way to use traditional 'user at domain' login names with
PAM/GSSAPI, instead of Kerberos ticket names?
Or maybe to tell PAM module to convert domain part of username to
uppercase before using?
Thanks on any help or advice.
===== dovecot.conf: ====auth_mechanisms = gssapi plain login external
auth_gssapi_hostname = "$ALL"
auth_krb5_keytab = /etc/krb5.keytab
auth_default_realm passdb {
driver = pam
args = cache_key=%d%r%n failure_show_msg=yes dovecot
}
userdb {
driver = static
args = uid=502 gid=502
home=/var/vmail/%L{auth_domain}/%L{auth_username}
mail=maildir:/var/vmail/%L{auth_domain}/%L{auth_username}/Maildir
allow_all_users=yes
}
====
===== pam.d/dovecot: ====auth sufficient pam_krb5.so use_first_pass
account [default=bad success=ok user_unknown=ignore] pam_krb5.so
password sufficient pam_krb5.so use_authtok
session optional pam_krb5.so
====
===== krb5.conf: ====[libdefaults]
default_realm = CONTOSO.COM
dns_lookup_realm = true
dns_lookup_kdc = true
[realms]
CONTOSO.COM = {
kdc = dc.contoso.com:88
admin_server = dc.contoso.com:749
}
[domain_realm]
contoso.com = CONTOSO.COM
.contoso.com = CONTOSO.COM
sub.contoso.com = CONTOSO.COM
.sub.contoso.com = CONTOSO.COM
SUB.CONTOSO.COM = CONTOSO.COM
.SUB.CONTOSO.COM = CONTOSO.COM
[appdefaults]
pam = {
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
===== klist server ===Default principal: imap/mail2.contoso.com at CONTOSO.COM
===== klist client ===Default principal: user2 at SUB.CONTOSO.COM
===== Logging in with user2 at SUB.CONTOSO.COM - OK: ====
auth: Debug: client in: AUTH 1 GSSAPI service=imap
secured=tls session=....
auth: Debug: gssapi(?,192.168.....,<MR1yvq6DftfAqAoP>): Using all
keytab entries
auth: Debug: client passdb out: CONT 1
auth: Debug: client in: CONT<hidden>
auth: Debug:
gssapi(user2 at sub.contoso.com,192.168....,<MR1yvq6DftfAqAoP>): security
context state completed.
auth: Debug: client passdb out: CONT 1 YIGVB....
auth: Debug: client in: CONT<hidden>
auth: Debug:
gssapi(user2 at sub.contoso.com,192.168.....,<MR1yvq6DftfAqAoP>):
Negotiated security layer
auth: Debug: client passdb out: CONT 1 BQQF/.....
auth: Debug: client in: CONT<hidden>
auth: Debug:
pam(user2 at sub.contoso.com,192.168.....,<MR1yvq6DftfAqAoP>): passdb
doesn't support credential lookups
auth: Debug:
gssapi(user2 at sub.contoso.com,192.168.....,<MR1yvq6DftfAqAoP>): skipping
passdb: mechanism filtered
auth: Debug: client passdb out: OK 1
user=user2 at sub.contoso.com original_user=user2 at SUB.CONTOSO.COM
===== Logging in with user2 at sub.contoso.com - FAIL: ====
auth: Debug: client in: AUTH 1 GSSAPI service=imap
secured=tls session=...
auth: Debug: gssapi(?,192.168....,<Hgh4zq6DhNfAqAoP>): Using all keytab
entries
auth: Debug: client passdb out: CONT 1
auth: Debug: client in: CONT<hidden>
auth: Debug:
gssapi(user2 at sub.contoso.com,192.168....,<Hgh4zq6DhNfAqAoP>): security
context state completed.
auth: Debug: client passdb out: CONT 1 YIGVB.....
auth: Debug: client in: CONT<hidden>
auth: Debug:
gssapi(user2 at sub.contoso.com,192.168....,<Hgh4zq6DhNfAqAoP>):
Negotiated
security layer
auth: Debug: client passdb out: CONT 1 BQQF/.....
auth: Debug: client in: CONT<hidden>
auth: Debug:
pam(user2 at sub.contoso.com,192.168.....,<Hgh4zq6DhNfAqAoP>): passdb
doesn't support credential lookups
auth: Debug:
gssapi(user2 at sub.contoso.com,192.168.....,<Hgh4zq6DhNfAqAoP>): skipping
passdb: mechanism filtered
auth: Debug: client passdb out: FAIL 1
user=user2 at sub.contoso.com original_user=user2 at SUB.CONTOSO.COM