the SPN would be smtp/host.domain.tld@REALM.
the primary is smtp
the instance is the hostname of the machine, or if in a load balanced
environment, the name of the Virtual IP (VIP) that the clients connect
to. if you are load balancing, you create one keytab file, and
distribute that same exact keytab to all load balanced pool members.
the realm is the Kerberos realm configured in /etc/krb5.conf.
see
http://web.mit.edu/KERBEROS/krb5-1.5/krb5-1.5.4/doc/krb5-user/What-is-a-Kerberos-Principal_003f.html
for more info.
a couple of additional questions i have come up with:
how does one tell postfix/submission what principal to use, when in a
load balanced environment and the keytab differs from the smtp/$(uname
-n)@REALM formula?
while Victor's suggestion is a great help and moves me forward in terms
of postfix as a SASL client for LDAP lookups, it raises a concern about
having a local user context (root) with interactive authenticated access
to LDAP, be it read-only because of restrictions put on the LDAP user
object associated with the identity established via Kerberos. would
there be a way to pass that script to say the postfix user (su -c or
something), which is not available as an interactive session/shell,
thereby eliminating the available access to LDAP for a user who gains
root access?
Victor's script gets a Kerberos ticket every hour. it does not renew
the existing ticket, it seems. my tickets are valid for 10 hours, and
renewable for 1 week. getting a new ticket every hour is unnecessary.
the idea of a samba client being used to refresh tickets sounds
interesting. Louis, please do provide more detail.
to further the idea of managing Kerberos tickets, has SSSD been looked
at? would it provide means to handle ticketing for both the "server"
and "client" side of postfix's dealings with AuthN/AuthZ?
On 01/02/2016 08:05 AM, L.P.H. van Belle wrote:
never knew this, what is the SPN postix/sasl needs?
and a simple way to make the client work, setup a samba client, if setup
correctly, samba wil refres the keytab file.
if someone want info on this, i can answere monday again.
greetz,
louis
Op 1 jan. 2016 om 21:17 heeft Viktor Dukhovni <postfix-us...@dukhovni.org> het
volgende geschreven:
On Fri, Jan 01, 2016 at 02:46:33PM -0500, Brendan Kearney wrote:
Postfix version - 3.0.3 running on Fedora 22. MIT Kerberos and OpenLDAP are
being used.
my ldap-users.cf file, for example:
server_host = ldap://server1.bpk2.com ldap://server2.bpk2.com
search_base = dc=bpk2,dc=com
version = 3
bind = sasl
bind_dn = uid=mta,ou=processUsers,ou=Users,dc=bpk2,dc=com
sasl_mechs = gssapi
sasl_realm = BPK2.COM
query_filter = (mail=%s)
Where is the credential cache for the "postfix" ($mail_owner) user?
the above results in the below error logs:
Jan 01 14:33:50 mail postfix/trivial-rewrite[17185]: GSSAPI Error:
Unspecified GSS failure. Minor code may provide more information (No
Kerberos credentials available)
Not surprising, you need a cred cache.
I am assuming the keytab, /etc/postfix/postfix.keytab would be used to bind
to the directory, but i am not sure.
No, Kerberos keytabs are not credential caches. You need to run "kinit"
to obtain credentials via a keytab. I recommend an hourly cron job
that runs as "postfix":
export KRB5_KTNAME=FILE:/etc/postfix/postfix.keytab
export KRB5CCNAME=FILE:$(postconf -xh queue_directory)/ccache
principal=smtp/$(uname -n)
kinit -k "$principal"
Then in main.cf add:
# var=import_environment
# val=$(postconf -h "$var")
# postconf -e "$var = $val KRB5CCNAME=FILE:\${queue_directory}/ccache"
import_environment = MAIL_CONFIG MAIL_DEBUG MAIL_LOGTAG TZ XAUTHORITY
DISPLAY LANG=C KRB5_KTNAME=/etc/postfix/postfix.keytab
export_environment = TZ MAIL_CONFIG LANG KRB5_KTNAME
This suffices for Postfix as a Kerberos server, but not as a Kerberos
client.
--
Viktor.
