Hi all,

I've got a Dovecot v2.3.3 IMAP with GSSAPI auth set up.
This server is in main domain, 'contoso.com'. I also have several
subdomains.

My problem is usernames with GSSAPI authentication:

When I try to login as 'user' or as 'u...@contoso.com' - everything
works. But, 'u...@contoso.com' auth fails.
But when I try to login as subdomain user, 'user2' - it fails to login.
'us...@sub.contoso.com' fails also.
However, 'us...@sub.contoso.com' works ok.

It looks like PAM uses domain part of login as Kerberos realm name,
regardless of Kerberos domain-realm mapping. Also, if domain part is not
specified, PAM (Kerberos?) fails to determine non-default realm.

What am I missing?
Is there a way to use traditional 'user@domain' login names with
PAM/GSSAPI, instead of Kerberos ticket names?
Or maybe to tell PAM module to convert domain part of username to
uppercase before using?

Thanks on any help or advice.

===== dovecot.conf: =====
auth_mechanisms = gssapi plain login external
auth_gssapi_hostname = "$ALL"
auth_krb5_keytab = /etc/krb5.keytab
auth_default_realm =
passdb {
  driver = pam
  args = cache_key=%d%r%n failure_show_msg=yes dovecot
}
userdb {
    driver = static
    args = uid=502 gid=502
home=/var/vmail/%L{auth_domain}/%L{auth_username}
mail=maildir:/var/vmail/%L{auth_domain}/%L{auth_username}/Maildir
allow_all_users=yes
}
=====

===== pam.d/dovecot: =====
auth        sufficient    pam_krb5.so use_first_pass
account     [default=bad success=ok user_unknown=ignore] pam_krb5.so
password    sufficient    pam_krb5.so use_authtok
session     optional      pam_krb5.so
=====

===== krb5.conf: =====
[libdefaults]
default_realm = CONTOSO.COM
dns_lookup_realm = true
dns_lookup_kdc = true
[realms]
CONTOSO.COM = {
    kdc = dc.contoso.com:88
    admin_server = dc.contoso.com:749
}

[domain_realm]
contoso.com = CONTOSO.COM
.contoso.com = CONTOSO.COM
sub.contoso.com = CONTOSO.COM
.sub.contoso.com = CONTOSO.COM
SUB.CONTOSO.COM = CONTOSO.COM
.SUB.CONTOSO.COM = CONTOSO.COM

[appdefaults]
pam = {
    ticket_lifetime = 36000
    renew_lifetime = 36000
    forwardable = true
    krb4_convert = false
}

===== klist server ====
Default principal: imap/mail2.contoso....@contoso.com

===== klist client ====
Default principal: us...@sub.contoso.com


===== Logging in with us...@sub.contoso.com - OK: =====

 auth: Debug: client in: AUTH    1       GSSAPI  service=imap
secured=tls  session=....
 auth: Debug: gssapi(?,192.168.....,<MR1yvq6DftfAqAoP>): Using all
keytab entries
 auth: Debug: client passdb out: CONT    1
 auth: Debug: client in: CONT<hidden>
 auth: Debug:
gssapi(us...@sub.contoso.com,192.168....,<MR1yvq6DftfAqAoP>): security
context state completed.
 auth: Debug: client passdb out: CONT    1       YIGVB....
 auth: Debug: client in: CONT<hidden>
 auth: Debug:
gssapi(us...@sub.contoso.com,192.168.....,<MR1yvq6DftfAqAoP>):
Negotiated security layer
 auth: Debug: client passdb out: CONT    1       BQQF/.....
 auth: Debug: client in: CONT<hidden>
 auth: Debug:
pam(us...@sub.contoso.com,192.168.....,<MR1yvq6DftfAqAoP>): passdb
doesn't support credential lookups
 auth: Debug:
gssapi(us...@sub.contoso.com,192.168.....,<MR1yvq6DftfAqAoP>): skipping
passdb: mechanism filtered
 auth: Debug: client passdb out: OK      1
user=us...@sub.contoso.com        original_user=us...@sub.contoso.com


===== Logging in with us...@sub.contoso.com - FAIL: =====

 auth: Debug: client in: AUTH    1       GSSAPI  service=imap
secured=tls   session=...
 auth: Debug: gssapi(?,192.168....,<Hgh4zq6DhNfAqAoP>): Using all keytab
entries
 auth: Debug: client passdb out: CONT    1
 auth: Debug: client in: CONT<hidden>
 auth: Debug:
gssapi(us...@sub.contoso.com,192.168....,<Hgh4zq6DhNfAqAoP>): security
context state completed.
 auth: Debug: client passdb out: CONT    1       YIGVB.....
 auth: Debug: client in: CONT<hidden>
 auth: Debug:
gssapi(us...@sub.contoso.com,192.168....,<Hgh4zq6DhNfAqAoP>): Negotiated
security layer
 auth: Debug: client passdb out: CONT    1       BQQF/.....
 auth: Debug: client in: CONT<hidden>
 auth: Debug:
pam(us...@sub.contoso.com,192.168.....,<Hgh4zq6DhNfAqAoP>): passdb
doesn't support credential lookups
 auth: Debug:
gssapi(us...@sub.contoso.com,192.168.....,<Hgh4zq6DhNfAqAoP>): skipping
passdb: mechanism filtered
 auth: Debug: client passdb out: FAIL    1
user=us...@sub.contoso.com        original_user=us...@sub.contoso.com

Reply via email to