Hi Dan,
Thanks for your prompt reply.
>Your postfix process is retrieving information, such as postmaps, from an
>openldap server, using gssapi authentication? Or are you retreiving your
>postmaps from an Active Directory server?
Yes, I retrieve postmaps from OpenLDAP server using GSSAPI authentication.
>klist (verify that you have a TGT)
>
>ldapwhoami -O maxssf=0 -Y GSSAPI ...
>
>and use wireshark to capture the interaction, which will show you any
>errors that the KDC may be providing over the network.
I captured the packets and did not see any particular Kerberos errors
from the KDC.
>Is the keytab file being used by postfix, by openldap, or both?
>
>Where is your keytab file located? If it is not located in
>/etc/krb5.keytab, then you will need to add some configuration for
I put the service principals in the default keytab file at
/etc/krb5.keytab, and the OpenLDAP user have read access to the keytab.
I succeeded to make it working on Ubuntu 8.04.4, any idea why it did not
work out on Ubuntu 10.04.4?
Thanks a lot.
John Mok
On 7/6/2012 11:54 PM, Dan White wrote:
On 07/06/12 23:11 +0800, John Mok wrote:
Hi,
I have succeeded using GSSAPI SASL for OpenLDAP + Postfix access on
Ubuntu 8.04.4. When I made the same setup on Ubuntu 10.04.4 :-
Your postfix process is retrieving information, such as postmaps, from an
openldap server, using gssapi authentication? Or are you retreiving your
postmaps from an Active Directory server?
ldapwhoami -Y GSSAPI
it returned an error (80).
sasl2-bin 2.1.23
libsasl2-modules 2.1.23
libsasl2-modules-gssapi-heimdal 2.1.23
When I tried libsasl2-modules-gssapi-mit, it returned (key table
entry not found). When I tried libsasl2-modules-gssapi-heimdal, it
returned "No credentials were supplied, or the credentials were
unavailable or inaccessible ...". I checked with ktutil list and it
listed the kerberos principals from Windows 2003 correctly.
for the client side ldapwhoami attempt, try:
klist (verify that you have a TGT)
ldapwhoami -O maxssf=0 -Y GSSAPI ...
and use wireshark to capture the interaction, which will show you any
errors that the KDC may be providing over the network.
adding '-d -1' may also be helpful. Check your syslog output (auth
facility) for any sasl errors.
Is the keytab file being used by postfix, by openldap, or both?
Where is your keytab file located? If it is not located in
/etc/krb5.keytab, then you will need to add some configuration for the
gssapi plugin to find its location. If using the heimdal plugin,
create a sasl config file (e.g. /usr/lib/sasl2/slapd.conf) with:
keytab: /path/to/file.keytab
If you're using the mit plugin, you'll specify the location using the
KRB5_KTNAME environment variable.
