Debugging why KRB5_KTNAME isn't working

Brian J. Murrell brian at
Thu Jan 27 12:01:48 EST 2022

I am trying to debug why having KRB5_KTNAME set in the environment of a
process is not actually making that process use that keytab file but
instead is using the default /etc/krb5.keytab.

The process is Postfix's SMTP deamon (smtpd).

I have confirmed that the method of setting the environment variable is

# ps -ef | grep smtpd
postfix  3726845 3515138  0 11:56 ?        00:00:00 smtpd -n smtp -t inet -u -o stress= -s 2
# tr '\0' '\n' < /proc/3726845/environ

However when looking at what the process is actually trying to open
with strace, it's clear that it's not using /etc/postfix/smtp.keytab:

# grep keytab /tmp/smtpd.strace6
3726845 openat(AT_FDCWD, "/etc/krb5.keytab", O_RDONLY) = -1 EACCES (Permission denied)
3726845 openat(AT_FDCWD, "/etc/krb5.keytab", O_RDONLY) = -1 EACCES (Permission denied)

As you can see, I did attempt to try to trace the kerberos library with


but that file does not actually get anything written to it:

-rwxrwxrwx. 1 root root 0 Jan 27 11:27 smtpd_krb5_trace

and the above strace doesn't show any sign of trying to open or even
stat the file:

# grep smtpd_krb5_trace /tmp/smtpd.strace6

Kerberos version appears to be MIT 1.18.2.

Any thoughts/ideas?


More information about the Kerberos mailing list