I'm trying to get Postfix to authenticate mail clients on our Active
Directory domain with the GSSAPI mechanism. I'm fairly sure I've got
something wrong with the sasl configuration, and I'm hoping to get some
pointers on what I might be doing wrong.
After comparing notes with other threads and websites, the content of
the logs, and the results of a ldapwhoami test I'm wondering if I'm
missing an LDAP component in my configuration somewhere?
Since the results of trying to the sasl sample-server give similar log
messages to what Postfix produces, I'm guessing that if I can figure out
what satisfies the sample-server application I can also satisfy Postfix.
referencing:
http://asg.andrew.cmu.edu/archive/message.php?mailbox=archive.cyrus-sasl&msg=9939
http://asg.andrew.cmu.edu/archive/message.php?mailbox=archive.cyrus-sasl&searchterm=GSSAPI&msg=282
http://asg.andrew.cmu.edu/archive/message.php?mailbox=archive.cyrus-sasl&msg=9928
http://cyrusimap.web.cmu.edu/docs/cyrus-sasl/2.1.23/gssapi.php
Here's how I think it's breaking down:
* Client gets a TGT from the kdc - good
* Client starts a connection with the Postfix smtpd - good
* Postfix responds with supported AUTH mechanisms - good
- Wireshark shows AUTH GSSAPI in the response to EHLO
* The client then requests the smtp ticket from the kdc - good
****** kerberos tickets on the client after the auth attempt *****
C:\Users\MrUser\Documents>klist
Current LogonId is 0:0x31e1c
Cached Tickets: (2)
#0> Client: MrUser @ EXAMPLE.COM
Server: krbtgt/EXAMPLE.COM @ EXAMPLE.COM
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40e00000 -> forwardable renewable initial
pre_authent
Start Time: 4/30/2013 10:57:01 (local)
End Time: 4/30/2013 20:57:01 (local)
Renew Time: 6/3/2013 10:57:01 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
#1> Client: MrUser @ EXAMPLE.COM
Server: smtp/sbsmtpnv03.EXAMPLE.com @ EXAMPLE.COM
KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
Ticket Flags 0x40a00000 -> forwardable renewable pre_authent
Start Time: 4/30/2013 10:58:17 (local)
End Time: 4/30/2013 20:57:01 (local)
Renew Time: 6/3/2013 10:57:01 (local)
Session Key Type: RSADSI RC4-HMAC(NT)
*****
* Client responds with AUTH GSSAPI ... a long text string ...
* Client receives a messages saying, "S: 535 5.7.8 Error: authentication
falied: generic failure"
When this happens this is shown in my authentication log (/var/log/secure):
Apr 30 10:58:18 SBSMTPNV03 postfix/smtpd[17554]: auxpropfunc error
invalid parameter supplied
Apr 30 10:58:18 SBSMTPNV03 postfix/smtpd[17554]: _sasl_plugin_load
failed on sasl_auxprop_plug_init for plugin: ldapdb
This is what is shown in the postfix log:
Apr 30 10:58:18 SBSMTPNV03 postfix/smtpd[17554]: warning: SASL
authentication failure: GSSAPI Error: Unspecified GSS failure. Minor
code may provide more information ()
Apr 30 10:58:18 SBSMTPNV03 postfix/smtpd[17554]: warning:
nvit01b.EXAMPLE.com[10.20.2.0]: SASL GSSAPI authentication failed:
generic failure
When I try testing my SASL configuration with the sample-server and
sample client I get the same message as when Postfix tries to
authenticate with SASL:
# sasl2-sample-server -m GSSAPI -s smtp
trying 2, 1, 6
trying 10, 1, 6
socket: Address family not supported by protocol
Apr 30 11:13:42 SBSMTPNV03 sasl2-sample-server: auxpropfunc error
invalid parameter supplied
Apr 30 11:13:42 SBSMTPNV03 sasl2-sample-server: _sasl_plugin_load failed
on sasl_auxprop_plug_init for plugin: ldapdb
Along my path at trying to figure this out, and referring to another
tread on this list, I tried this:
# ldapwhoami -Y GSSAPI -D "CN=Matthew
Larsen,OU=IT,OU=SRS,OU=Users,OU=SITENAME,OU=_Corporate,DC=EXAMPLE,DC=COM" -H
ldap://10.20.1.3
SASL/GSSAPI authentication started
SASL username: MrUser@xxxxxxxxxxx
SASL SSF: 56
SASL data security layer installed.
u:EXAMPLE\MrUser
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: MrUser@xxxxxxxxxxx
Valid starting Expires Service principal
04/30/13 09:54:57 04/30/13 19:55:01 krbtgt/EXAMPLE.COM@xxxxxxxxxxx
renew until 05/07/13 09:54:57
04/30/13 10:20:39 04/30/13 19:55:01 ldap/dcnv02.EXAMPLE.com@xxxxxxxxxxx
renew until 05/07/13 09:54:57
So the kerberos exchange must be working to some extent on the system.
////////////////
Here's some supporting information to fill in information gaps:
/////////////////
# saslauthd -v
saslauthd 2.1.23
authentication mechanisms: getpwent kerberos5 pam rimap shadow ldap
# klist -ke
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
4 smtp/SBSMTPNV03.EXAMPLE.com@xxxxxxxxxxx (des-cbc-crc)
4 smtp/SBSMTPNV03.EXAMPLE.com@xxxxxxxxxxx (des-cbc-md5)
4 smtp/SBSMTPNV03.EXAMPLE.com@xxxxxxxxxxx (arcfour-hmac)
4 smtp/SBSMTPNV03.EXAMPLE.com@xxxxxxxxxxx (aes256-cts-hmac-sha1-96)
4 smtp/SBSMTPNV03.EXAMPLE.com@xxxxxxxxxxx (aes128-cts-hmac-sha1-96)
[root@SBSMTPNV03 sample]#
I've also tried adding to my Postfix main.cf file
import_environment = KRB5_KTNAME=FILE:/etc/postfix/smtp.keytab
# klist -ke /etc/postfix/smtp.keytab
Keytab name: FILE:/etc/postfix/smtp.keytab
KVNO Principal
----
--------------------------------------------------------------------------
4 smtp/SBSMTPNV03.EXAMPLE.com@xxxxxxxxxxx (des-cbc-crc)
4 smtp/SBSMTPNV03.EXAMPLE.com@xxxxxxxxxxx (des-cbc-md5)
4 smtp/SBSMTPNV03.EXAMPLE.com@xxxxxxxxxxx (arcfour-hmac)
4 smtp/SBSMTPNV03.EXAMPLE.com@xxxxxxxxxxx (aes256-cts-hmac-sha1-96)
4 smtp/SBSMTPNV03.EXAMPLE.com@xxxxxxxxxxx (aes128-cts-hmac-sha1-96)
# ldd /usr/libexec/postfix/smtpd | grep libsasl
libsasl2.so.2 => /usr/lib64/libsasl2.so.2 (0x00007f4146578000)
# saslfinger -s
saslfinger - postfix Cyrus sasl configuration Tue Apr 30 10:47:46 PDT 2013
version: 1.0.2
mode: server-side SMTP AUTH
-- basics --
Postfix: 2.6.6
System: CentOS release 6.4 (Final)
-- smtpd is linked to --
libsasl2.so.2 => /usr/lib64/libsasl2.so.2 (0x00007f917a6a2000)
-- active SMTP AUTH and TLS parameters for smtpd --
broken_sasl_auth_clients = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $mydomain
smtpd_sasl_security_options = noanonymous,noplaintext
-- listing of /usr/lib64/sasl2 --
total 432
drwxr-xr-x. 2 root root 4096 Apr 23 15:49 .
dr-xr-xr-x. 27 root root 20480 Apr 23 16:56 ..
-rwxr-xr-x. 1 root root 18776 Nov 27 03:49 libanonymous.so
-rwxr-xr-x. 1 root root 18776 Nov 27 03:49 libanonymous.so.2
-rwxr-xr-x. 1 root root 18776 Nov 27 03:49 libanonymous.so.2.0.23
-rwxr-xr-x. 1 root root 31256 Nov 27 03:49 libgssapiv2.so
-rwxr-xr-x. 1 root root 31256 Nov 27 03:49 libgssapiv2.so.2
-rwxr-xr-x. 1 root root 31256 Nov 27 03:49 libgssapiv2.so.2.0.23
-rwxr-xr-x. 1 root root 18784 Nov 27 03:49 libldapdb.so
-rwxr-xr-x. 1 root root 18784 Nov 27 03:49 libldapdb.so.2
-rwxr-xr-x. 1 root root 18784 Nov 27 03:49 libldapdb.so.2.0.23
-rwxr-xr-x. 1 root root 18808 Nov 27 03:49 liblogin.so
-rwxr-xr-x. 1 root root 18808 Nov 27 03:49 liblogin.so.2
-rwxr-xr-x. 1 root root 18808 Nov 27 03:49 liblogin.so.2.0.23
-rwxr-xr-x. 1 root root 18808 Nov 27 03:49 libplain.so
-rwxr-xr-x. 1 root root 18808 Nov 27 03:49 libplain.so.2
-rwxr-xr-x. 1 root root 18808 Nov 27 03:49 libplain.so.2.0.23
-rwxr-xr-x. 1 root root 22784 Nov 27 03:49 libsasldb.so
-rwxr-xr-x. 1 root root 22784 Nov 27 03:49 libsasldb.so.2
-rwxr-xr-x. 1 root root 22784 Nov 27 03:49 libsasldb.so.2.0.23
-- listing of /etc/sasl2 --
total 12
drwxr-xr-x. 2 root root 4096 Apr 24 15:22 .
drwxr-xr-x. 61 root root 4096 Apr 29 16:46 ..
-rw-r--r-- 1 root root 69 Apr 23 11:30 smtpd.conf
-- content of /etc/sasl2/smtpd.conf --
log_level: 6
pwcheck_method: saslauthd
mech_list: gssapi plain login
-- active services in /etc/postfix/master.cf --
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
smtp inet n - n - - smtpd
pickup fifo n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr fifo n - n 300 1 qmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - n - - smtp
relay unix - - n - - smtp
-o smtp_fallback_relay=
showq unix n - n - - showq
error unix - - n - - error
retry unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
-- mechanisms on localhost --
-- end of saslfinger output --
Kerberos config file:
# cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
EXAMPLE.COM = {
kdc = dcnv01.EXAMPLE.com
admin_server = dcnv01.EXAMPLE.com
default_domain = EXAMPLE.com
}
[domain_realm]
.EXAMPLE.com = EXAMPLE.COM
EXAMPLE.com = EXAMPLE.COM
[appdefaults]
pam = {
debug = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
}