Debugging why KRB5_KTNAME isn't working

Simo Sorce simo at
Thu Jan 27 15:53:10 EST 2022

On Thu, 2022-01-27 at 15:34 -0500, Brian J. Murrell wrote:
> On Thu, 2022-01-27 at 20:31 +0100, Jochen Kellner wrote:
> > 
> > I once configured postfix to uses sasl:
> > 
> > = yes
> I do have that already.
> > And in  /etc/postfix/sasl/smtpd.conf:
> Hrm.  I don't have this file.  But I never did and this all worked
> prior to a few days ago when the machine was upgraded from EL7 to EL8,
> which unsurprisingly upgrades a lot of things in big jumps.  So maybe
> this is now necessary.
> Ahh.  Looking at smtpd's strace output, it seems it's looking in
> /etc/sasl2/smtpd.conf on my machine and I do have that file with:
> pwcheck_method: saslauthd
> mech_list: gssapi plain login
> > keytab: /etc/smtp.keytab
> And indeed, winner winner, chicken dinner!  Adding a "keytab:
> /etc/postfix/smtp.keytab" to that file is making smtpd use the correct
> keytab file now.
> So this must all be new behavior in some upgraded versions.

The keytab option for the cyrus-sasl gssapi plugin is somewhat new
(considering that RHEL-8 is almost 3 years old now) and is probably
causing the change in behavior wrt environment variables that you are

Simo Sorce
RHEL Crypto Team
Red Hat, Inc

More information about the Kerberos mailing list