Debugging why KRB5_KTNAME isn't working
Simo Sorce
simo at redhat.com
Thu Jan 27 15:53:10 EST 2022
On Thu, 2022-01-27 at 15:34 -0500, Brian J. Murrell wrote:
> On Thu, 2022-01-27 at 20:31 +0100, Jochen Kellner wrote:
> >
> > I once configured postfix to uses sasl:
> >
> > main.cf:83:smtpd_sasl_auth_enable = yes
>
> I do have that already.
>
> > And in /etc/postfix/sasl/smtpd.conf:
>
> Hrm. I don't have this file. But I never did and this all worked
> prior to a few days ago when the machine was upgraded from EL7 to EL8,
> which unsurprisingly upgrades a lot of things in big jumps. So maybe
> this is now necessary.
>
> Ahh. Looking at smtpd's strace output, it seems it's looking in
> /etc/sasl2/smtpd.conf on my machine and I do have that file with:
>
> pwcheck_method: saslauthd
> mech_list: gssapi plain login
>
> > keytab: /etc/smtp.keytab
>
> And indeed, winner winner, chicken dinner! Adding a "keytab:
> /etc/postfix/smtp.keytab" to that file is making smtpd use the correct
> keytab file now.
>
> So this must all be new behavior in some upgraded versions.
The keytab option for the cyrus-sasl gssapi plugin is somewhat new
(considering that RHEL-8 is almost 3 years old now) and is probably
causing the change in behavior wrt environment variables that you are
experiencing.
--
Simo Sorce
RHEL Crypto Team
Red Hat, Inc
More information about the Kerberos
mailing list