[Dovecot] How to grant a kerberos ticket after successful imap authentication from dovecot
Hello everybody,
I hope this question is appropriate for this list. Apologies if not.
I am running a set of virtual machines under debian 6, to build a mail/collaboration server. I am mainly using dovecot, postfix, openldap and heimdal. Mails are stored using maildir, on a NFSv4 share.
My users are system users, but using LDAP and libpam-ldap and libnss-ldap for caching credentials information.
Everything is working as expected, well, /almost/.
Since NFS is using kerberos, by defaults, my users are not able to access their mail storage if they have not received their kerberos ticket.
For instance, if I do nothing, this is the errors I have from dovecot when trying to logon using any imap client:
Mar 31 09:33:07 titan dovecot: imap-login: Login: user=,
method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured
Mar 31 09:33:07 titan dovecot: dovecot: Fatal:
chdir(/home/emails/team/arodier/) failed: Permission denied
(euid=1003(arodier) egid=1001(red2team) missing +x perm: /home/emails)
Mar 31 09:33:07 titan dovecot: dovecot: child 5089 (imap) returned
error 89 (Fatal failure)
However, if I just login on a console for the user "/arodier/", I see that I have received a ticket, and I can see it with klist:
Credentials cache: FILE:/tmp/krb5cc_1001_ywvktf
Principal: arodier@RED2.SRV
Issued Expires Principal
Mar 31 09:25:55 Mar 31 19:25:53 krbtgt/RED2.SRV@RED2.SRV
Mar 31 09:25:57 Mar 31 19:25:53 nfs/ananke.red2.srv@RED2.SRV
Once I have simply logged myself on a console, I can access my emails using any IMAP client.
The question is: How should I configure libpam (or dovecot ?) to initialise/receive a kerberos ticket after successful authentication ?
Thanks for your answers.
On 31.3.2011, at 12.04, André Rodier wrote:
How should I configure libpam (or dovecot ?) to initialise/receive a kerberos ticket after successful authentication ?
I doubt this is possible. At least not directly via PAM authentication, because in Dovecot the authentication is done by a separate authentication process. You could possibly use http://untroubled.org/mailfront/imapfront.html with Dovecot's imap binary.
Thanks, Timo.
So, other questions:
* Can I use a post login script to try to initialise the kerberos
ticket ?
* Can I write a dovecot plugin in C/C++ to do that, and in this case ?
* If I use a plugin or a script, do I have access to the username /
password ?
* If I use a plugin, where can I found a skeleton ?
Kind regards,
André Rodier.
On 31/03/2011 10:50, Timo Sirainen wrote:
--
/André Rodier/ r e d 2 The red2 Group of companies; red2, red2 Services and red2 Agency 34-35 Eastcastle Street, London W1W 8DW www.red2.co.uk <http://www.red2.co.uk/> | andre.rodier@red2.co.uk <mailto:andre.rodier@red2.co.uk>
(+44) 0203 397 0594 direct (+44) 0751 124 4961 mobile
On 31.3.2011, at 17.32, André Rodier wrote:
With v1.x yes, with v2.x no (because in v2.x it's again in a separate process to allow support for multiple clients per process).
Yes.
Username yes, password no. I guess you could modify Dovecot code so PAM code saves the password and passes it to mail process.
v1.x or v2.x? v1.x is really simple, v2.x needs more work.
How are mails delivered then anyway? Doesn't that process also need some kerberos ticket?
On 31/03/2011 15:37, Timo Sirainen wrote:
Hello Timo,
You were right. Since I have switched to MFSv4/Kerberos, I started by testing the mail access before the delivery.
Testing just now the dovecot deliver script fail as well... I probably have to use another method to obtain the ticket.
I can also try to use a virtual user for the whole mail storage... If I found a solution, I'll post it on this list.
I use dovecot 1.2, included by default on Debian squeeze.
Kind regards. André Rodier.
participants (2)
-
André Rodier
-
Timo Sirainen