On 1/27/22 12:01 PM, Brian J. Murrell wrote: > I am trying to debug why having KRB5_KTNAME set in the environment of a > process is not actually making that process use that keytab file but > instead is using the default /etc/krb5.keytab.
There are three possible reasons why environment variables might be ignored. First, Postfix might be asking for a secure krb5 context (krb5_init_secure_context()). Second (and I think the most likely), the process may be running with elevated privilege as determined by secure_getenv(). A setuid or setgid bit on the executable could be enough to trigger this. Third, as Ken suggested, the program might clean up its own environment. If any of these are true, then you have limited options to affect the program behavior from outside of the process. You can change the default keytab location in /etc/krb5.conf, but that would be global (and of course you can't point the program at a different config file via environment variable because those are ignored). Of course, the program itself can provide configuration for the keytab file. I couldn't find any gss_ or krb5_ calls in the Postfix source code (looking at Viktor Dukhovni's git mirror), so I don't have any immediate insight as to whether that's currently possible or what would need to change. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
