On 01/02/2016 01:30 PM, Viktor Dukhovni wrote:
how does one tell postfix/submission what principal to use, when in a load
balanced environment and the keytab differs from the smtp/$(uname -n)@REALM
formula?
A single keytab file can contain keys for multiple principals. On the
Postfix side the service name is configurable in versions 2.11 and
later:
http://www.postfix.org/postconf.5.html#smtpd_sasl_service
i added the line:
-o smtpd_sasl_service=smtp/smtp.bpk2.com
to master.cf, trying to indicate the principal to be used by submission
when authenticating users. because i want to load balance multiple
instances, i need the instance in the principal to be the name of the
load balanced VIP and not that of the individual host. this did not
work and i got the below error message:
warning: SASL authentication failure: GSSAPI Error: Unspecified GSS
failure. Minor code may provide more information (No key table entry
found matching smtp\/smtp.bpk2.com/mail.bpk2.com@)
if i am understanding this correctly, the smtpd_sasl_service is used to
change the primary, but i need to change the instance, instead. how
would change the principal from:
smtp/<hostname.domain.tld>@REALM
to
smtp/<VIP.domain.tld>@RELAM
so that load balancing and kerberos work together?
thanks,
brendan
