Gert van Dijk
2019-Aug-01 09:26 UTC
IMAP frontend authenticating proxy with GSSAPI/Kerberos SSO
Hi, My IMAP backend server is lacking SSO authentication, so I am trying to set up Dovecot in front of it as an authenticating proxy. Fortunately, my backend server provides a way to ignore the password provided and will simply trust the username given to be authenticated, using plain login authentication. I'm struggling with setting this up, as it seems to me that as soon as I enable GSSAPI/Kerberos SSO in Dovecot it ignores my passdb proxy settings and it creates a local mail store instead. Is this behavior intentional, and why? See also my Q on Serverfault.com [1], where some user has reported this set up to be working with the same backend server and provided some hints, but I believe I'm hitting a combination that cannot be working with this version. Dovecot version: v2.3.4.1 (from Debian Buster) dovecot -n (I'm using only a single flat file dovecot.conf): ====# dovecot -n # 2.3.4.1 (f79e8e7e4): /etc/dovecot/dovecot.conf # Pigeonhole version 0.5.4 () # OS: Linux 4.15.0-46-generic x86_64 Debian 10.0 overlay # Hostname: imap.sub.mydomain.tld auth_debug = yes auth_default_realm = MY-REALM.DOMAIN.TLD auth_gssapi_hostname = imap.sub.mydomain.tld auth_krb5_keytab = /etc/dovecot/imap.keytab auth_mechanisms = gssapi auth_realms = MY-REALM.DOMAIN.TLD auth_username_format = %n auth_verbose = yes log_path = /dev/stderr mail_gid = 65534 mail_location = mbox:/tmp mail_uid = 65534 passdb { args = proxy=y host=127.0.0.1 port=1143 pass=#hidden_use-P_to_show# driver = static } protocols = imap ssl = required ssl_cert = </etc/dovecot-ssl/cert.crt ssl_cipher_list ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 ssl_key = # hidden, use -P to show it ssl_min_protocol = TLSv1.2 ssl_prefer_server_ciphers = yes ==== My comments are lost with "dovecot -n", so here I repeat some why's. ====# uid/gid of nobody or else: # imap(username)<15><6SCG0QOPgtcKAAYE>: Error: Couldn't drop privileges: User is missing UID (see mail_uid setting) mail_uid = 65534 mail_gid = 65534 # Have to set dummy mail_location or else: # Error: mail_location not set and autodetection failed: Mail storage autodetection failed with home=(not set) mail_location = mbox:/tmp ==== (Ideally, I don't want to set any local storage storage, Dovecot should just be a proxy in my case.) Log, debug enabled, with client connecting: ====master: Info: Dovecot v2.3.4.1 (f79e8e7e4) starting up for imap auth: Debug: Loading modules from directory: /usr/lib/dovecot/modules/auth auth: Debug: Module loaded: /usr/lib/dovecot/modules/auth/lib20_auth_var_expand_crypt.so auth: Debug: Loading modules from directory: /usr/lib/dovecot/modules/auth auth: Debug: Module loaded: /usr/lib/dovecot/modules/auth/libmech_gssapi.so auth: Debug: Read auth token secret from /var/run/dovecot/auth-token-secret.dat auth: Debug: auth client connected (pid=9) auth: Debug: client in: AUTH 1 GSSAPI service=imap secured=tls session=9WOjSwWP8toKAAYE lip=9.9.9.9 rip=1.2.3.4 lport=143 rport=56050 local_name=sub.mydomain.tld ssl_cipher=ECDHE-RSA-AES128-GCM-SHA256 ssl_cipher_bits=128 ssl_pfs=KxECDHE ssl_protocol=TLSv1.2 auth: Debug: gssapi(?,1.2.3.4,<9WOjSwWP8toKAAYE>): Obtaining credentials for imap at sub.mydomain.tld auth: Debug: client passdb out: CONT 1 auth: Debug: client in: CONT<hidden> auth: Debug: gssapi(username,1.2.3.4,<9WOjSwWP8toKAAYE>): security context state completed. auth: Debug: client passdb out: CONT 1 YIGZBgkqhki[...]7Bm1G auth: Debug: client in: CONT<hidden> auth: Debug: gssapi(username,1.2.3.4,<9WOjSwWP8toKAAYE>): Negotiated security layer auth: Debug: client passdb out: CONT 1 BQQF/w[...]yjNOoauth: Debug: client in: CONT<hidden> auth: Debug: static(username,1.2.3.4,<9WOjSwWP8toKAAYE>): lookup auth: Info: static(username,1.2.3.4,<9WOjSwWP8toKAAYE>): No password returned (and no nopassword) auth: Debug: client passdb out: OK 1 user=username original_user=username at MY-REALM.DOMAIN.TLD auth: Debug: master in: REQUEST 3940810753 9 1 740b6a075ea21dbe10397f3734262bbe session_pid=12 request_auth_token auth: Debug: master userdb out: USER 3940810753 username auth_token=d1503de7036a68a85ea9db25f32bc9df3ebf08a8 auth_user=username at MY-REALM.DOMAIN.TLD imap-login: Info: Login: user=<username>, method=GSSAPI, rip=1.2.3.4, lip=9.9.9.9, mpid=12, TLS, session=<9WOjSwWP8toKAAYE> ==== The good news is that everything related to Kerberos/GSSAPI authentication seems to work fine! Noteworthy in the above output I think is the line "auth: Debug: client passdb out: ..." which does not mention any proxy related settings any longer which aligns with my observations: - The client is then logged into an empty mailbox in local storage. Not okay. - No attempt to connect to my backend server is made (checked with tcpdump). Not okay. Somehow I start to believe that as soon as I set auth_mechanisms = gssapi, any args/field in passdb are ignored. Is that a bug or am I looking at a feature? What else have I tried: - Using imapc proxy [2], but that example config does not work in my Dovecot version with the error: auth: Error: prefetch(username,1.2.3.4,): userdb lookup not possible with only userdb prefetch - Using a passdb with master=yes and pass=yes. passdb { driver = static args = proxy=y host=127.0.0.1 port=1143 pass=dummypass master = yes pass = yes } This fails with the error: auth: Fatal: Master passdb can't have pass=yes if there are no passdbs master: Error: service(auth): command startup failed, throttling for 2 secs imap-login: Info: Disconnected: Auth process broken (disconnected before auth was ready, waited 0 secs): user=<>, rip=1.2.3.4, lip=9.9.9.9, session=<0i46qgWPntsKAAYE> imap-login: Warning: Timeout leak: 0x7efe483e8120 (auth-server-connection.c:397) Any help or clues are very much appreciated. Thanks! [1]: https://serverfault.com/q/951010/135437 [2]: https://wiki.dovecot.org/HowTo/ImapcProxy Gert van Dijk
Timo Sirainen
2019-Aug-01 13:42 UTC
IMAP frontend authenticating proxy with GSSAPI/Kerberos SSO
On 1 Aug 2019, at 12.26, Gert van Dijk via dovecot <dovecot at dovecot.org> wrote:> > passdb { > args = proxy=y host=127.0.0.1 port=1143 pass=#hidden_use-P_to_show#..> auth: Info: static(username,1.2.3.4,<9WOjSwWP8toKAAYE>): No password > returned (and no nopassword)I think this is why it's not using the passdb at all. Try adding password=something to the args.
Gert van Dijk
2019-Aug-01 14:24 UTC
IMAP frontend authenticating proxy with GSSAPI/Kerberos SSO
On Thu, Aug 1, 2019 at 3:42 PM Timo Sirainen <timo at sirainen.com> wrote:> > On 1 Aug 2019, at 12.26, Gert van Dijk via dovecot <dovecot at dovecot.org> wrote: > > > > passdb { > > args = proxy=y host=127.0.0.1 port=1143 pass=#hidden_use-P_to_show# > .. > > auth: Info: static(username,1.2.3.4,<9WOjSwWP8toKAAYE>): No password > > returned (and no nopassword) > > I think this is why it's not using the passdb at all. Try adding password=something to the args.Thanks for your quick reply. passdb { driver = static args = proxy=y host=127.0.0.1 port=1143 pass=masterpass password=something } indeed does the trick: imap-login: Info: proxy(username): started proxying to 127.0.0.1:1143: user=<username>, method=GSSAPI, rip=1.2.3.4, lip=9.9.9.9, TLS, session=<iJvnvg6P8KEKAAYE> Also nopassword=y instead of password=something works, which I think is even better. I was also able to remove the mail_location / mail_uid / mail_gid settings. :-) Thanks a million! (I now have a new error, listing subfolders errors in IMAP clients. Oh well..., another thing to dive in another time.) Gert van Dijk