> On Aug 22, 2018, at 5:02 AM, Kacper <kac...@kacper.se> wrote:
>
> I've been trying to setup GSSAPI in postfix via cyrus-sasl. The service
> principal is configured and so is sasl2/smtpd.conf. All I get from the
> postfix log file is that the GSSAPI auth failed and that the minor error code
> was Success.
Post more detailed configuration information.
0. List the keytab file owner and permissions (ls -l)
1. List the principal names from the keytab file
2. As the "postfix" user, use the keytab file to obtain a
TGT with "kinit -k -t <keytab> <principal>". List the
obtained creds with "klist".
I expect your keytab file is owner=root mode=0600, which can't
work with Postfix, because by the time smtpd(8) is using Cyrus
SASL to check SASL creds, it is no longer running as "root".
> How do I debug this?
Don't debug, configure it correctly instead. To make doubly sure the
correct keytab file is used:
import_environment =
MAIL_CONFIG MAIL_DEBUG MAIL_LOGTAG TZ LANG=C
KRB5_KTNAME=/etc/postfix/postfix.keytab
though you should store your keytab elsewhere, the files
in /etc/postfix/ are expected to belong to root. This
should be in /var/spool/keytabs/smtp or similar.
I use GSSAPI via dovecot auth:
main.cf:
smtpd_sasl_type = dovecot
dovecot.conf:
auth_realms = <MYREALM>
auth_mechanisms = gssapi plain
auth_gssapi_hostname = "$ALL"
auth_krb5_keytab = /var/spool/keytabs/imap
$ ls -l /var/spool/keytabs/imap
-rw------- 1 dovecot wheel 1142 Jun 26 18:47 /var/spool/keytabs/imap
/var/spool/keytabs/imap:
Vno Type Principal
1 aes128-cts-hmac-sha1-96 imap/<myhostname>@<MYREALM>
1 aes128-cts-hmac-sha1-96 smtp/<myhostname>@<MYREALM>
--
Viktor.
