Getting Postfix to work with cyrus-sasl GSSAPI mechanism

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I'm trying to get Postfix to authenticate mail clients on our Active Directory domain with the GSSAPI mechanism. I'm fairly sure I've got something wrong with the sasl configuration, and I'm hoping to get some pointers on what I might be doing wrong.

After comparing notes with other threads and websites, the content of the logs, and the results of a ldapwhoami test I'm wondering if I'm missing an LDAP component in my configuration somewhere?

Since the results of trying to the sasl sample-server give similar log messages to what Postfix produces, I'm guessing that if I can figure out what satisfies the sample-server application I can also satisfy Postfix.

referencing:
http://asg.andrew.cmu.edu/archive/message.php?mailbox=archive.cyrus-sasl&msg=9939
http://asg.andrew.cmu.edu/archive/message.php?mailbox=archive.cyrus-sasl&searchterm=GSSAPI&msg=282
http://asg.andrew.cmu.edu/archive/message.php?mailbox=archive.cyrus-sasl&msg=9928
http://cyrusimap.web.cmu.edu/docs/cyrus-sasl/2.1.23/gssapi.php

Here's how I think it's breaking down:

* Client gets a TGT from the kdc - good
* Client starts a connection with the Postfix smtpd - good
* Postfix responds with supported AUTH mechanisms - good
     - Wireshark shows AUTH GSSAPI in the response to EHLO
* The client then requests the smtp ticket from the kdc - good

******  kerberos tickets on the client after the auth attempt   *****
C:\Users\MrUser\Documents>klist

Current LogonId is 0:0x31e1c

Cached Tickets: (2)

#0>     Client: MrUser @ EXAMPLE.COM
        Server: krbtgt/EXAMPLE.COM @ EXAMPLE.COM
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40e00000 -> forwardable renewable initial pre_authent
        Start Time: 4/30/2013 10:57:01 (local)
        End Time:   4/30/2013 20:57:01 (local)
        Renew Time: 6/3/2013 10:57:01 (local)
        Session Key Type: AES-256-CTS-HMAC-SHA1-96


#1>     Client: MrUser @ EXAMPLE.COM
        Server: smtp/sbsmtpnv03.EXAMPLE.com @ EXAMPLE.COM
        KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
        Ticket Flags 0x40a00000 -> forwardable renewable pre_authent
        Start Time: 4/30/2013 10:58:17 (local)
        End Time:   4/30/2013 20:57:01 (local)
        Renew Time: 6/3/2013 10:57:01 (local)
        Session Key Type: RSADSI RC4-HMAC(NT)
*****

* Client responds with AUTH GSSAPI ...  a long text string ...
* Client receives a messages saying, "S: 535 5.7.8 Error: authentication falied: generic failure"

When this happens this is shown in my authentication log (/var/log/secure):

Apr 30 10:58:18 SBSMTPNV03 postfix/smtpd[17554]: auxpropfunc error invalid parameter supplied Apr 30 10:58:18 SBSMTPNV03 postfix/smtpd[17554]: _sasl_plugin_load failed on sasl_auxprop_plug_init for plugin: ldapdb

This is what is shown in the postfix log:

Apr 30 10:58:18 SBSMTPNV03 postfix/smtpd[17554]: warning: SASL authentication failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information () Apr 30 10:58:18 SBSMTPNV03 postfix/smtpd[17554]: warning: nvit01b.EXAMPLE.com[10.20.2.0]: SASL GSSAPI authentication failed: generic failure

When I try testing my SASL configuration with the sample-server and sample client I get the same message as when Postfix tries to authenticate with SASL:

# sasl2-sample-server -m GSSAPI -s smtp
trying 2, 1, 6
trying 10, 1, 6
socket: Address family not supported by protocol

Apr 30 11:13:42 SBSMTPNV03 sasl2-sample-server: auxpropfunc error invalid parameter supplied Apr 30 11:13:42 SBSMTPNV03 sasl2-sample-server: _sasl_plugin_load failed on sasl_auxprop_plug_init for plugin: ldapdb

Along my path at trying to figure this out, and referring to another tread on this list, I tried this:

# ldapwhoami -Y GSSAPI -D "CN=Matthew Larsen,OU=IT,OU=SRS,OU=Users,OU=SITENAME,OU=_Corporate,DC=EXAMPLE,DC=COM" -H ldap://10.20.1.3
SASL/GSSAPI authentication started
SASL username: MrUser@xxxxxxxxxxx
SASL SSF: 56
SASL data security layer installed.
u:EXAMPLE\MrUser

# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: MrUser@xxxxxxxxxxx

Valid starting     Expires            Service principal
04/30/13 09:54:57  04/30/13 19:55:01  krbtgt/EXAMPLE.COM@xxxxxxxxxxx
        renew until 05/07/13 09:54:57
04/30/13 10:20:39  04/30/13 19:55:01  ldap/dcnv02.EXAMPLE.com@xxxxxxxxxxx
        renew until 05/07/13 09:54:57

So the kerberos exchange must be working to some extent on the system.


////////////////

Here's some supporting information to fill in information gaps:

/////////////////

# saslauthd -v
saslauthd 2.1.23
authentication mechanisms: getpwent kerberos5 pam rimap shadow ldap


# klist -ke
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   4 smtp/SBSMTPNV03.EXAMPLE.com@xxxxxxxxxxx (des-cbc-crc)
   4 smtp/SBSMTPNV03.EXAMPLE.com@xxxxxxxxxxx (des-cbc-md5)
   4 smtp/SBSMTPNV03.EXAMPLE.com@xxxxxxxxxxx (arcfour-hmac)
   4 smtp/SBSMTPNV03.EXAMPLE.com@xxxxxxxxxxx (aes256-cts-hmac-sha1-96)
   4 smtp/SBSMTPNV03.EXAMPLE.com@xxxxxxxxxxx (aes128-cts-hmac-sha1-96)
[root@SBSMTPNV03 sample]#

I've also tried adding to my Postfix main.cf file
import_environment = KRB5_KTNAME=FILE:/etc/postfix/smtp.keytab

# klist -ke /etc/postfix/smtp.keytab
Keytab name: FILE:/etc/postfix/smtp.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   4 smtp/SBSMTPNV03.EXAMPLE.com@xxxxxxxxxxx (des-cbc-crc)
   4 smtp/SBSMTPNV03.EXAMPLE.com@xxxxxxxxxxx (des-cbc-md5)
   4 smtp/SBSMTPNV03.EXAMPLE.com@xxxxxxxxxxx (arcfour-hmac)
   4 smtp/SBSMTPNV03.EXAMPLE.com@xxxxxxxxxxx (aes256-cts-hmac-sha1-96)
   4 smtp/SBSMTPNV03.EXAMPLE.com@xxxxxxxxxxx (aes128-cts-hmac-sha1-96)





# ldd /usr/libexec/postfix/smtpd | grep libsasl
        libsasl2.so.2 => /usr/lib64/libsasl2.so.2 (0x00007f4146578000)

# saslfinger -s
saslfinger - postfix Cyrus sasl configuration Tue Apr 30 10:47:46 PDT 2013
version: 1.0.2
mode: server-side SMTP AUTH

-- basics --
Postfix: 2.6.6
System: CentOS release 6.4 (Final)

-- smtpd is linked to --
        libsasl2.so.2 => /usr/lib64/libsasl2.so.2 (0x00007f917a6a2000)

-- active SMTP AUTH and TLS parameters for smtpd --
broken_sasl_auth_clients = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $mydomain
smtpd_sasl_security_options = noanonymous,noplaintext


-- listing of /usr/lib64/sasl2 --
total 432
drwxr-xr-x.  2 root root  4096 Apr 23 15:49 .
dr-xr-xr-x. 27 root root 20480 Apr 23 16:56 ..
-rwxr-xr-x.  1 root root 18776 Nov 27 03:49 libanonymous.so
-rwxr-xr-x.  1 root root 18776 Nov 27 03:49 libanonymous.so.2
-rwxr-xr-x.  1 root root 18776 Nov 27 03:49 libanonymous.so.2.0.23
-rwxr-xr-x.  1 root root 31256 Nov 27 03:49 libgssapiv2.so
-rwxr-xr-x.  1 root root 31256 Nov 27 03:49 libgssapiv2.so.2
-rwxr-xr-x.  1 root root 31256 Nov 27 03:49 libgssapiv2.so.2.0.23
-rwxr-xr-x.  1 root root 18784 Nov 27 03:49 libldapdb.so
-rwxr-xr-x.  1 root root 18784 Nov 27 03:49 libldapdb.so.2
-rwxr-xr-x.  1 root root 18784 Nov 27 03:49 libldapdb.so.2.0.23
-rwxr-xr-x.  1 root root 18808 Nov 27 03:49 liblogin.so
-rwxr-xr-x.  1 root root 18808 Nov 27 03:49 liblogin.so.2
-rwxr-xr-x.  1 root root 18808 Nov 27 03:49 liblogin.so.2.0.23
-rwxr-xr-x.  1 root root 18808 Nov 27 03:49 libplain.so
-rwxr-xr-x.  1 root root 18808 Nov 27 03:49 libplain.so.2
-rwxr-xr-x.  1 root root 18808 Nov 27 03:49 libplain.so.2.0.23
-rwxr-xr-x.  1 root root 22784 Nov 27 03:49 libsasldb.so
-rwxr-xr-x.  1 root root 22784 Nov 27 03:49 libsasldb.so.2
-rwxr-xr-x.  1 root root 22784 Nov 27 03:49 libsasldb.so.2.0.23

-- listing of /etc/sasl2 --
total 12
drwxr-xr-x.  2 root root 4096 Apr 24 15:22 .
drwxr-xr-x. 61 root root 4096 Apr 29 16:46 ..
-rw-r--r--   1 root root   69 Apr 23 11:30 smtpd.conf




-- content of /etc/sasl2/smtpd.conf --
log_level: 6
pwcheck_method: saslauthd
mech_list: gssapi plain login


-- active services in /etc/postfix/master.cf --
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
smtp      inet  n       -       n       -       -       smtpd
pickup    fifo  n       -       n       60      1       pickup
cleanup   unix  n       -       n       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
tlsmgr    unix  -       -       n       1000?   1       tlsmgr
rewrite   unix  -       -       n       -       -       trivial-rewrite
bounce    unix  -       -       n       -       0       bounce
defer     unix  -       -       n       -       0       bounce
trace     unix  -       -       n       -       0       bounce
verify    unix  -       -       n       -       1       verify
flush     unix  n       -       n       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       n       -       -       smtp
relay     unix  -       -       n       -       -       smtp
        -o smtp_fallback_relay=
showq     unix  n       -       n       -       -       showq
error     unix  -       -       n       -       -       error
retry     unix  -       -       n       -       -       error
discard   unix  -       -       n       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       n       -       -       lmtp
anvil     unix  -       -       n       -       1       anvil
scache    unix  -       -       n       -       1       scache

-- mechanisms on localhost --

-- end of saslfinger output --

Kerberos config file:

# cat /etc/krb5.conf
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = EXAMPLE.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true

[realms]
 EXAMPLE.COM = {
  kdc = dcnv01.EXAMPLE.com
  admin_server = dcnv01.EXAMPLE.com
  default_domain = EXAMPLE.com
 }

[domain_realm]
 .EXAMPLE.com = EXAMPLE.COM
 EXAMPLE.com = EXAMPLE.COM


[appdefaults]
 pam = {
        debug = false
        ticket_lifetime = 24h
        renew_lifetime = 7d
        forwardable = true
 }






[Index of Archives]     [Info Cyrus]     [Squirrel Mail]     [Linux Media]     [Yosemite News]     [gtk]     [KDE]     [Gimp on Windows]     [Steve's Art]

  Powered by Linux