On Sat, Jan 02, 2016 at 12:00:23PM -0500, Brendan Kearney wrote:
> the SPN would be smtp/host.domain.tld@REALM.
That's what SMTP clients expect for an SMTP service at "host.domain.tld",
in Kerberos realm "REALM".
> how does one tell postfix/submission what principal to use, when in a load
> balanced environment and the keytab differs from the smtp/$(uname -n)@REALM
> formula?
A single keytab file can contain keys for multiple principals. On the
Postfix side the service name is configurable in versions 2.11 and
later:
http://www.postfix.org/postconf.5.html#smtpd_sasl_service
> While Victor's suggestion is a great help and moves me forward in terms of
> postfix as a SASL client for LDAP lookups, it raises a concern about having
> a local user context (root) with interactive authenticated access to LDAP,
> be it read-only because of restrictions put on the LDAP user object
> associated with the identity established via Kerberos.
This makes no sense. The "root" user typically can "su" to any
other user, so you can't hide credentials from "root". And my
suggestion is that both the keytab and ccache belong to "postfix",
not root, since it is "postfix" and not "root" that will be reading
these.
> would there be a way
> to pass that script to say the postfix user (su -c or something), which is
> not available as an interactive session/shell, thereby eliminating the
> available access to LDAP for a user who gains root access?
If someone has "root" access, they get "postfix" for free.
> Victor's script gets a Kerberos ticket every hour. it does not renew the
> existing ticket, it seems. my tickets are valid for 10 hours, and renewable
> for 1 week. getting a new ticket every hour is unnecessary. the idea of a
> samba client being used to refresh tickets sounds interesting. Louis,
> please do provide more detail.
This is a non-interactive use-case. A fresh ticket once an hour
is by far simpler than trying to figure out when to renew and when
to get a fresh ticket. DO NOT make this needlessly complex.
--
Viktor.
