Re: GSSAPI and Success as a error code

Wed, 22 Aug 2018 09:30:54 -0700 


> On Aug 22, 2018, at 12:04 PM, Kacper <kac...@kacper.se> wrote:
> 
> As requested:
> 
> # ls -la /etc/postfix/postfix.keytab
> -rw-rw-rw-. 1 root root 5859 Aug 22 15:52 /etc/postfix/postfix.keytab

This is of course wrong.  The file MUST NOT be world-readable.  It
needs to belong to the "postfix" user, and have mode 0600.

> log/dovecot.log:
> Aug 22 15:45:35 auth: Info: gssapi(?,192.168.0.150): While processing
> incoming data: Unspecified GSS failure.  Minor code may provide more
> information
> Aug 22 15:45:35 auth: Info: gssapi(?,192.168.0.150): While processing
> incoming data: Success

Why are you looking in the dovecot logs?  This is a dovecot IMAP error,
not a Postfix smtpd(8) error...

> klist -Kek /etc/postfix/postfix.keytab
> Keytab name: FILE:/etc/postfix/postfix.keytab
> KVNO Principal
> ---- 
> --------------------------------------------------------------------------
>   2 smtp/srv.mydomain.t...@mydomain.test (arcfour-hmac)
> (0x51f860d755da544604c21b686c70fdb2)
>   2 smtp/srv.mydomain.t...@mydomain.test (des-cbc-md5)  (0x32f8f1ad3140859b)
>   2 smtp/srv.mydomain.t...@mydomain.test (des-cbc-crc)  (0x32f8f1ad3140859b)

This makes the RC4 and DES keys for this principal public.  It should not
have any DES keys, you need to disable DES in your KDC, and generate keytabs
that use AES and perhaps also RC4 (though this is generally no longer needed
even on Windows).  Since the keys have leaked to the world, this is a good
time to change them.

> # sudo -u postfix kinit -k -t /etc/postfix/postfix.keytab 
> smtp/srv.mydomain.test
> # sudo -u postfix klist
> Ticket cache: FILE:/tmp/krb5cc_89
> Default principal: smtp/srv.mydomain.t...@mydomain.test
> 
> Valid starting       Expires              Service principal
> 08/22/2018 15:56:55  08/23/2018 01:56:55  krbtgt/mydomain.t...@mydomain.test
> renew until 08/29/2018 15:56:55

It does look like the keys match what the KDC has.  Now you need to include
KRB5_KTNAME=/path/to/keytab as recommended in "import_environment", ensure
correct location (not /etc/postfix) and ownership/permissions, provision
non-legacy algorithms.

You should also ensure that the client is using the same hostname for
the SMTP server that you see listed in the keytab file (whatever
"srv.mydomain.test" is).  Make sure the client does not have
stale cached tickets, that no longer match the server keytab.

What is the "kvno" for the service as seen from "klist" on the client?
Is the principal name the same?

-- 
        Viktor.























					Reply via email to