I managed to get gdb setup and tracked down the error happening
in gss_accept_sec_context in the cyrus sasl library. I got the major and
minor kerberos error codes (851968 respectively 100001) but that doesn't
leave much to go on either.
On Wed, Aug 22, 2018 at 2:37 PM Wietse Venema <wie...@porcupine.org> wrote:
> Kacper:
> > Hello,
> >
> > I've been trying to setup GSSAPI in postfix via cyrus-sasl. The service
> > principal is configured and so is sasl2/smtpd.conf. All I get from the
> > postfix log file is that the GSSAPI auth failed and that the minor error
> > code was Success.
>
> Indeed. Postfix does not implement GSSAPI. Cyrus SASL does. Therefore,
> only Cyrus Sasl knows what is going on.
>
> > Success as an error code doesn't leave much to go on. log_level: 7 did
> > nothing to produce more verbose output.
>
> It's a bit like logging into a system where you have no account.
> The password check fails successfully.
>
> > How do I debug this? Is there a configuration flag to bring out trace
> > information? Perhaps postfix can be recompiled with some kind of SASL
> debug
> > flag? I guess the last option would be to use gdb (already tried strace)
> > but then I would need to know what to look for.
>
> There is no code in Postfix to look inside the guts of Cyrus SASL.
> You'd have to use some debugger like gdb for that (as described in
> Postfix DEBUG_README).
>
> However it may be possible to configure additional callbacks in
> the Postfix xsasl_cyrus_server.c file:
>
> 176 /*
> 177 * SASL callback interface structure. These call-backs have no
> per-session
> 178 * context.
> 179 */
> 180 #define NO_CALLBACK_CONTEXT 0
> 181
> 182 static sasl_callback_t callbacks[] = {
> 183 {SASL_CB_LOG, (XSASL_CYRUS_CB) &xsasl_cyrus_log,
> NO_CALLBACK_CONTEXT},
> 184 {SASL_CB_LIST_END, 0, 0}
> 185 };
>
> Perhaps there is anything in there that would shed a light on the
> problem.
>
> Wietse
>
