Re: Getting Postfix to work with cyrus-sasl GSSAPI mechanism

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 04/30/13 11:45 -0700, Matthew Larsen wrote:
I'm trying to get Postfix to authenticate mail clients on our Active Directory domain with the GSSAPI mechanism. I'm fairly sure I've got something wrong with the sasl configuration, and I'm hoping to get some pointers on what I might be doing wrong.

C:\Users\MrUser\Documents>klist

Cached Tickets: (2)

* Client receives a messages saying, "S: 535 5.7.8 Error: authentication falied: generic failure"

Verify gssapi support was compiled as a shared library or was statically
compiled into your libsasl2 library. Typically you would verify that with
pluginviewer, if it's available.

When this happens this is shown in my authentication log (/var/log/secure):

Apr 30 10:58:18 SBSMTPNV03 postfix/smtpd[17554]: auxpropfunc error invalid parameter supplied Apr 30 10:58:18 SBSMTPNV03 postfix/smtpd[17554]: _sasl_plugin_load failed on sasl_auxprop_plug_init for plugin: ldapdb

As was mentioned previously, these are not relevant to the problem. You can
suppress those errors by adding this to your /etc/sasl2/smtpd.conf:

auxprop_plugin: sasldb

This is what is shown in the postfix log:

Apr 30 10:58:18 SBSMTPNV03 postfix/smtpd[17554]: warning: SASL authentication failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information () Apr 30 10:58:18 SBSMTPNV03 postfix/smtpd[17554]: warning: nvit01b.EXAMPLE.com[10.20.2.0]: SASL GSSAPI authentication failed: generic failure

When I try testing my SASL configuration with the sample-server and sample client I get the same message as when Postfix tries to authenticate with SASL:

Along my path at trying to figure this out, and referring to another tread on this list, I tried this:

# ldapwhoami -Y GSSAPI -D "CN=Matthew Larsen,OU=IT,OU=SRS,OU=Users,OU=SITENAME,OU=_Corporate,DC=EXAMPLE,DC=COM" -H ldap://10.20.1.3
SASL/GSSAPI authentication started
SASL username: MrUser@xxxxxxxxxxx
SASL SSF: 56
SASL data security layer installed.
u:EXAMPLE\MrUser

Your -D parameter is ignored here. Your authc identity should be derived
via your ticket.

On this system, try using smtptest, which is distributed with cyrus imapd:

smtptest -m GSSAPI <hostname>

Here's some supporting information to fill in information gaps:

/////////////////

# saslauthd -v
saslauthd 2.1.23
authentication mechanisms: getpwent kerberos5 pam rimap shadow ldap


I've also tried adding to my Postfix main.cf file
import_environment = KRB5_KTNAME=FILE:/etc/postfix/smtp.keytab

If your cyrus gssapi plugin was compiled against heimdal, you may need to
add this to your /etc/sasl2/smtpd.conf instead:

keytab: /etc/postfix/smtp.keytab

# saslfinger -s
saslfinger - postfix Cyrus sasl configuration Tue Apr 30 10:47:46 PDT 2013
version: 1.0.2
mode: server-side SMTP AUTH

-- basics --
Postfix: 2.6.6
System: CentOS release 6.4 (Final)

-- smtpd is linked to --
       libsasl2.so.2 => /usr/lib64/libsasl2.so.2 (0x00007f917a6a2000)

-- active SMTP AUTH and TLS parameters for smtpd --
broken_sasl_auth_clients = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $mydomain
smtpd_sasl_security_options = noanonymous,noplaintext


-- listing of /usr/lib64/sasl2 --
total 432
drwxr-xr-x.  2 root root  4096 Apr 23 15:49 .
dr-xr-xr-x. 27 root root 20480 Apr 23 16:56 ..
-rwxr-xr-x.  1 root root 18776 Nov 27 03:49 libanonymous.so
-rwxr-xr-x.  1 root root 18776 Nov 27 03:49 libanonymous.so.2
-rwxr-xr-x.  1 root root 18776 Nov 27 03:49 libanonymous.so.2.0.23
-rwxr-xr-x.  1 root root 31256 Nov 27 03:49 libgssapiv2.so
-rwxr-xr-x.  1 root root 31256 Nov 27 03:49 libgssapiv2.so.2
-rwxr-xr-x.  1 root root 31256 Nov 27 03:49 libgssapiv2.so.2.0.23
-rwxr-xr-x.  1 root root 18784 Nov 27 03:49 libldapdb.so
-rwxr-xr-x.  1 root root 18784 Nov 27 03:49 libldapdb.so.2
-rwxr-xr-x.  1 root root 18784 Nov 27 03:49 libldapdb.so.2.0.23
-rwxr-xr-x.  1 root root 18808 Nov 27 03:49 liblogin.so
-rwxr-xr-x.  1 root root 18808 Nov 27 03:49 liblogin.so.2
-rwxr-xr-x.  1 root root 18808 Nov 27 03:49 liblogin.so.2.0.23
-rwxr-xr-x.  1 root root 18808 Nov 27 03:49 libplain.so
-rwxr-xr-x.  1 root root 18808 Nov 27 03:49 libplain.so.2
-rwxr-xr-x.  1 root root 18808 Nov 27 03:49 libplain.so.2.0.23
-rwxr-xr-x.  1 root root 22784 Nov 27 03:49 libsasldb.so
-rwxr-xr-x.  1 root root 22784 Nov 27 03:49 libsasldb.so.2
-rwxr-xr-x.  1 root root 22784 Nov 27 03:49 libsasldb.so.2.0.23

-- listing of /etc/sasl2 --
total 12
drwxr-xr-x.  2 root root 4096 Apr 24 15:22 .
drwxr-xr-x. 61 root root 4096 Apr 29 16:46 ..
-rw-r--r--   1 root root   69 Apr 23 11:30 smtpd.conf




-- content of /etc/sasl2/smtpd.conf --
log_level: 6
pwcheck_method: saslauthd
mech_list: gssapi plain login


-- active services in /etc/postfix/master.cf --
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
smtp      inet  n       -       n       -       -       smtpd
pickup    fifo  n       -       n       60      1       pickup
cleanup   unix  n       -       n       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
tlsmgr    unix  -       -       n       1000?   1       tlsmgr
rewrite   unix  -       -       n       -       -       trivial-rewrite
bounce    unix  -       -       n       -       0       bounce
defer     unix  -       -       n       -       0       bounce
trace     unix  -       -       n       -       0       bounce
verify    unix  -       -       n       -       1       verify
flush     unix  n       -       n       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       n       -       -       smtp
relay     unix  -       -       n       -       -       smtp
       -o smtp_fallback_relay=
showq     unix  n       -       n       -       -       showq
error     unix  -       -       n       -       -       error
retry     unix  -       -       n       -       -       error
discard   unix  -       -       n       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       n       -       -       lmtp
anvil     unix  -       -       n       -       1       anvil
scache    unix  -       -       n       -       1       scache

-- mechanisms on localhost --

-- end of saslfinger output --

Kerberos config file:

# cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true

[realms]
EXAMPLE.COM = {
 kdc = dcnv01.EXAMPLE.com
 admin_server = dcnv01.EXAMPLE.com
 default_domain = EXAMPLE.com
}

[domain_realm]
.EXAMPLE.com = EXAMPLE.COM
EXAMPLE.com = EXAMPLE.COM


[appdefaults]
pam = {
       debug = false
       ticket_lifetime = 24h
       renew_lifetime = 7d
       forwardable = true
}

--
Dan White




[Index of Archives]     [Info Cyrus]     [Squirrel Mail]     [Linux Media]     [Yosemite News]     [gtk]     [KDE]     [Gimp on Windows]     [Steve's Art]

  Powered by Linux