Debugging why KRB5_KTNAME isn't working

Greg Hudson ghudson at
Thu Jan 27 13:41:38 EST 2022

On 1/27/22 12:01 PM, Brian J. Murrell wrote:
> I am trying to debug why having KRB5_KTNAME set in the environment of a
> process is not actually making that process use that keytab file but
> instead is using the default /etc/krb5.keytab.

There are three possible reasons why environment variables might be
ignored.  First, Postfix might be asking for a secure krb5 context
(krb5_init_secure_context()).  Second (and I think the most likely), the
process may be running with elevated privilege as determined by
secure_getenv().  A setuid or setgid bit on the executable could be
enough to trigger this.  Third, as Ken suggested, the program might
clean up its own environment.

If any of these are true, then you have limited options to affect the
program behavior from outside of the process.  You can change the
default keytab location in /etc/krb5.conf, but that would be global (and
of course you can't point the program at a different config file via
environment variable because those are ignored).

Of course, the program itself can provide configuration for the keytab
file.  I couldn't find any gss_ or krb5_ calls in the Postfix source
code (looking at Viktor Dukhovni's git mirror), so I don't have any
immediate insight as to whether that's currently possible or what would
need to change.

More information about the Kerberos mailing list