I know for a fact that postfix and cyrus can read the keytab since wrong permissions correctly give a permission denied in the log file. I also verified that the correct files was chosen using strace.
I also tried using dovecot as a sasl auth backend. It gave me the same cryptic kerberos error response as cyrus. I also have imap setup in dovecot and it works without issues with GSSAPI. I can't understand why SMTP refuses to work. log/dovecot.log: Aug 22 15:45:35 auth: Info: gssapi(?,192.168.0.150): While processing incoming data: Unspecified GSS failure. Minor code may provide more information Aug 22 15:45:35 auth: Info: gssapi(?,192.168.0.150): While processing incoming data: Success As requested: # ls -la /etc/postfix/postfix.keytab -rw-rw-rw-. 1 root root 5859 Aug 22 15:52 /etc/postfix/postfix.keytab klist -Kek /etc/postfix/postfix.keytab Keytab name: FILE:/etc/postfix/postfix.keytab KVNO Principal ---- -------------------------------------------------------------------------- 2 smtp/srv.mydomain.t...@mydomain.test (arcfour-hmac) (0x51f860d755da544604c21b686c70fdb2) 2 smtp/srv.mydomain.t...@mydomain.test (des-cbc-md5) (0x32f8f1ad3140859b) 2 smtp/srv.mydomain.t...@mydomain.test (des-cbc-crc) (0x32f8f1ad3140859b) # sudo -u postfix kinit -k -t /etc/postfix/postfix.keytab smtp/srv.mydomain.test # sudo -u postfix klist Ticket cache: FILE:/tmp/krb5cc_89 Default principal: smtp/srv.mydomain.t...@mydomain.test Valid starting Expires Service principal 08/22/2018 15:56:55 08/23/2018 01:56:55 krbtgt/mydomain.t...@mydomain.test renew until 08/29/2018 15:56:55 On Wed, Aug 22, 2018 at 3:05 PM Viktor Dukhovni <postfix-us...@dukhovni.org> wrote: > > > > > On Aug 22, 2018, at 5:02 AM, Kacper <kac...@kacper.se> wrote: > > > > I've been trying to setup GSSAPI in postfix via cyrus-sasl. The service > > principal is configured and so is sasl2/smtpd.conf. All I get from the > > postfix log file is that the GSSAPI auth failed and that the minor error > > code was Success. > > Post more detailed configuration information. > > 0. List the keytab file owner and permissions (ls -l) > 1. List the principal names from the keytab file > 2. As the "postfix" user, use the keytab file to obtain a > TGT with "kinit -k -t <keytab> <principal>". List the > obtained creds with "klist". > > I expect your keytab file is owner=root mode=0600, which can't > work with Postfix, because by the time smtpd(8) is using Cyrus > SASL to check SASL creds, it is no longer running as "root". > > > How do I debug this? > > Don't debug, configure it correctly instead. To make doubly sure the > correct keytab file is used: > > import_environment = > MAIL_CONFIG MAIL_DEBUG MAIL_LOGTAG TZ LANG=C > KRB5_KTNAME=/etc/postfix/postfix.keytab > > though you should store your keytab elsewhere, the files > in /etc/postfix/ are expected to belong to root. This > should be in /var/spool/keytabs/smtp or similar. > > I use GSSAPI via dovecot auth: > > main.cf: > smtpd_sasl_type = dovecot > > dovecot.conf: > auth_realms = <MYREALM> > auth_mechanisms = gssapi plain > auth_gssapi_hostname = "$ALL" > auth_krb5_keytab = /var/spool/keytabs/imap > > $ ls -l /var/spool/keytabs/imap > -rw------- 1 dovecot wheel 1142 Jun 26 18:47 /var/spool/keytabs/imap > > /var/spool/keytabs/imap: > > Vno Type Principal > 1 aes128-cts-hmac-sha1-96 imap/<myhostname>@<MYREALM> > 1 aes128-cts-hmac-sha1-96 smtp/<myhostname>@<MYREALM> > > -- > Viktor. >
