Debugging why KRB5_KTNAME isn't working
Brian J. Murrell
brian at interlinx.bc.ca
Thu Jan 27 12:01:48 EST 2022
I am trying to debug why having KRB5_KTNAME set in the environment of a
process is not actually making that process use that keytab file but
instead is using the default /etc/krb5.keytab.
The process is Postfix's SMTP deamon (smtpd).
I have confirmed that the method of setting the environment variable is
working:
# ps -ef | grep smtpd
postfix 3726845 3515138 0 11:56 ? 00:00:00 smtpd -n smtp -t inet -u -o stress= -s 2
# tr '\0' '\n' < /proc/3726845/environ
KRB5_KTNAME=/etc/postfix/smtp.keytab
KRB5_CLIENT_KTNAME=/etc/postfix/smtp.keytab
KRB5_TRACE=/tmp/smtpd_krb5_trace
GENERATION=55
However when looking at what the process is actually trying to open
with strace, it's clear that it's not using /etc/postfix/smtp.keytab:
# grep keytab /tmp/smtpd.strace6
3726845 openat(AT_FDCWD, "/etc/krb5.keytab", O_RDONLY) = -1 EACCES (Permission denied)
3726845 openat(AT_FDCWD, "/etc/krb5.keytab", O_RDONLY) = -1 EACCES (Permission denied)
As you can see, I did attempt to try to trace the kerberos library with
KRB5_TRACE=/tmp/smtpd_krb5_trace
but that file does not actually get anything written to it:
-rwxrwxrwx. 1 root root 0 Jan 27 11:27 smtpd_krb5_trace
and the above strace doesn't show any sign of trying to open or even
stat the file:
# grep smtpd_krb5_trace /tmp/smtpd.strace6
[nothing]
Kerberos version appears to be MIT 1.18.2.
Any thoughts/ideas?
Cheers,
b.
More information about the Kerberos
mailing list