Hello everybody,
I hope this question is appropriate for this list. Apologies if not.
I am running a set of virtual machines under debian 6, to build a
mail/collaboration server. I am mainly using dovecot, postfix, openldap
and heimdal. Mails are stored using maildir, on a NFSv4 share.
My users are system users, but using LDAP and libpam-ldap and
libnss-ldap for caching credentials information.
Everything is working as expected, well, /almost/.
Since NFS is using kerberos, by defaults, my users are not able to
access their mail storage if they have not received their kerberos ticket.
For instance, if I do nothing, this is the errors I have from dovecot
when trying to logon using any imap client:
Mar 31 09:33:07 titan dovecot: imap-login: Login: user=,
method=PLAIN, rip=127.0.0.1, lip=127.0.0.1, secured
Mar 31 09:33:07 titan dovecot: dovecot: Fatal:
chdir(/home/emails/team/arodier/) failed: Permission denied
(euid=1003(arodier) egid=1001(red2team) missing +x perm: /home/emails)
Mar 31 09:33:07 titan dovecot: dovecot: child 5089 (imap) returned
error 89 (Fatal failure)
However, if I just login on a console for the user "/arodier/", I see
that I have received a ticket, and I can see it with klist:
Credentials cache: FILE:/tmp/krb5cc_1001_ywvktf
Principal: arod...@red2.srv
Issued Expires Principal
Mar 31 09:25:55 Mar 31 19:25:53 krbtgt/red2....@red2.srv
Mar 31 09:25:57 Mar 31 19:25:53 nfs/ananke.red2....@red2.srv
Once I have simply logged myself on a console, I can access my emails
using any IMAP client.
The question is:
How should I configure libpam (or dovecot ?) to initialise/receive a
kerberos ticket after successful authentication ?
Thanks for your answers.
