On Fri, Jan 01, 2016 at 02:46:33PM -0500, Brendan Kearney wrote:
> Postfix version - 3.0.3 running on Fedora 22. MIT Kerberos and OpenLDAP are
> being used.
>
> my ldap-users.cf file, for example:
> server_host = ldap://server1.bpk2.com ldap://server2.bpk2.com
> search_base = dc=bpk2,dc=com
> version = 3
>
> bind = sasl
> bind_dn = uid=mta,ou=processUsers,ou=Users,dc=bpk2,dc=com
> sasl_mechs = gssapi
> sasl_realm = BPK2.COM
>
> query_filter = (mail=%s)
Where is the credential cache for the "postfix" ($mail_owner) user?
> the above results in the below error logs:
> Jan 01 14:33:50 mail postfix/trivial-rewrite[17185]: GSSAPI Error:
> Unspecified GSS failure. Minor code may provide more information (No
> Kerberos credentials available)
Not surprising, you need a cred cache.
> I am assuming the keytab, /etc/postfix/postfix.keytab would be used to bind
> to the directory, but i am not sure.
No, Kerberos keytabs are not credential caches. You need to run "kinit"
to obtain credentials via a keytab. I recommend an hourly cron job
that runs as "postfix":
export KRB5_KTNAME=FILE:/etc/postfix/postfix.keytab
export KRB5CCNAME=FILE:$(postconf -xh queue_directory)/ccache
principal=smtp/$(uname -n)
kinit -k "$principal"
Then in main.cf add:
# var=import_environment
# val=$(postconf -h "$var")
# postconf -e "$var = $val KRB5CCNAME=FILE:\${queue_directory}/ccache"
> import_environment = MAIL_CONFIG MAIL_DEBUG MAIL_LOGTAG TZ XAUTHORITY
> DISPLAY LANG=C KRB5_KTNAME=/etc/postfix/postfix.keytab
> export_environment = TZ MAIL_CONFIG LANG KRB5_KTNAME
This suffices for Postfix as a Kerberos server, but not as a Kerberos
client.
--
Viktor.
