Mail accounts in heterogeneous environments

Simo Sorce ssorce at redhat.com
Mon Jul 2 13:58:15 UTC 2007 

On Mon, 2007-07-02 at 14:56 +0400, Dmitry Butskoy wrote:
> Trever L. Adams wrote:
> > Dmitry Butskoy wrote:
> >   
> >> - Are there some another solution for the support of "SPA against 
> >> domain" by Linux MTA/pop/imap servers in Fedora?
> >>
> >> Regards,
> >> Dmitry Butskoy
> >>     
> >
> > Thank you for asking all of these questions. I am looking at doing a lot 
> > of these and have not yet asked these. It seems a lot of software 
> > (server) works with much of this, however, I would like to see 
> > (hopefully in F8) the ability to do SPA like stuff on everything (client 
> > and servers).
> 
> After the adding of SPA support for smtp/pop3/imap servers in Fedora, it 
> seems that we shall close to solution of this problem. At least in 
> application level. There are enough number of applications for which 
> NTLM implementation looks useful and which already supports it (Mozilla, 
> Evolutiion, Squid, Apache, etc.)

While I am all for supporting NTLM, what I'd really like to see is
Kerberos support. Some of these services use SASL/GSSAPI, but there are
still too many that does not.

One idea I am dreaming of is to make it possible to install a "local"
kerberos realm on each fedora installation. This would make it possible
to kerberize services and have SSO with your own machine services (think
of accessing the CUPS web interface or your own home via apache without
password prompts as your auth is done via kerberos).

> >  Particularly, I would like to see the ability to have a 
> > REAL cifs implementation. Right now, everything is done as the one who 
> > mounted (or --user) the fs. Can we get an AD version of this so that 
> > permissions get used and mapped as much as possible to Linux fs 
> > permissions and so that the user who requests the operation is the user 
> > used, not root, not --user, etc.?
> >   
> 
> Such a mapping is implemented in Samba's winbind daemon (i.e. SID->uid 
> mapping etc.). The issue is how to report this mapping to kernel level.
> Perhaps it is a task for some user-level filesystem over FUSE ?...

No the problem is different, the problem is re-authenticating users and
opening a new session when they walk in a mount point.
CIFS is not NFS, the server does NOT trust the clients, you can't mount
authenticating as Joe and then tell the server: "hey I am Jim, let me
access his files". You must re-auth as Jim to _prove_ you really are.

So the real problem is not much about mapping (there is no real mapping
problem cause the WHOAMI call can tell you what's Joe and Jim's SIDs and
anything else does not really matter as a client.

The real problem is to re-auth. Where do you get the credentials?
The very best way is to use Kerberos (NFSv4 does this for example) so
that all you need is to have a ticket on your system and the kernel can
use it on your behalf when you walk mount-points. Unfortunately using
kerberos is easier said than done, as you can't simply link to libkrb5
in the kernel. So you need a helper daemon and an upcall mechanism ...
difficult to do, but we will eventually get there.
Another way is to cache credentials and use NTLM, but that's not alway
available anyway (some AD environments starts mandating Kerberos only).

All this stuff is planned, it is just a matter of time and deciding on
the correct upcall machs.

Simo.

More information about the fedora-devel-list mailing list