Re: SASL binds

Sat, 02 Jan 2016 05:07:19 -0800 

never knew this, what is the SPN postix/sasl needs? 

and a simple way to make the client work, setup a samba client, if setup 
correctly, samba wil refres the keytab file.

if someone want info on this, i can answere monday again.

greetz,
louis

> Op 1 jan. 2016 om 21:17 heeft Viktor Dukhovni <postfix-us...@dukhovni.org> 
> het volgende geschreven:
> 
>> On Fri, Jan 01, 2016 at 02:46:33PM -0500, Brendan Kearney wrote:
>> 
>> Postfix version - 3.0.3 running on Fedora 22.  MIT Kerberos and OpenLDAP are
>> being used.
>> 
>> my ldap-users.cf file, for example:
>> server_host = ldap://server1.bpk2.com ldap://server2.bpk2.com
>> search_base = dc=bpk2,dc=com
>> version = 3
>> 
>> bind = sasl
>> bind_dn = uid=mta,ou=processUsers,ou=Users,dc=bpk2,dc=com
>> sasl_mechs = gssapi
>> sasl_realm = BPK2.COM
>> 
>> query_filter = (mail=%s)
> 
> Where is the credential cache for the "postfix" ($mail_owner) user?
> 
>> the above results in the below error logs:
>> Jan 01 14:33:50 mail postfix/trivial-rewrite[17185]: GSSAPI Error:
>> Unspecified GSS failure.  Minor code may provide more information (No
>> Kerberos credentials available)
> 
> Not surprising, you need a cred cache.
> 
>> I am assuming the keytab, /etc/postfix/postfix.keytab would be used to bind
>> to the directory, but i am not sure.  
> 
> No, Kerberos keytabs are not credential caches.  You need to run "kinit"
> to obtain credentials via a keytab.  I recommend an hourly cron job
> that runs as "postfix":
> 
>    export KRB5_KTNAME=FILE:/etc/postfix/postfix.keytab
>    export KRB5CCNAME=FILE:$(postconf -xh queue_directory)/ccache
>    principal=smtp/$(uname -n)
>    kinit -k "$principal"
> 
> Then in main.cf add:
> 
>    # var=import_environment
>    # val=$(postconf -h "$var")
>    # postconf -e "$var = $val KRB5CCNAME=FILE:\${queue_directory}/ccache"
> 
>> import_environment = MAIL_CONFIG MAIL_DEBUG MAIL_LOGTAG TZ XAUTHORITY
>> DISPLAY LANG=C KRB5_KTNAME=/etc/postfix/postfix.keytab
>> export_environment = TZ MAIL_CONFIG LANG KRB5_KTNAME
> 
> This suffices for Postfix as a Kerberos server, but not as a Kerberos
> client.
> 
> -- 
>    Viktor.
>

Reply via email to