On 04/30/13 11:45 -0700, Matthew Larsen wrote:
I'm trying to get Postfix to authenticate mail clients on our Active
Directory domain with the GSSAPI mechanism. I'm fairly sure I've got
something wrong with the sasl configuration, and I'm hoping to get
some pointers on what I might be doing wrong.
C:\Users\MrUser\Documents>klist
Cached Tickets: (2)
* Client receives a messages saying, "S: 535 5.7.8 Error:
authentication falied: generic failure"
Verify gssapi support was compiled as a shared library or was statically
compiled into your libsasl2 library. Typically you would verify that with
pluginviewer, if it's available.
When this happens this is shown in my authentication log (/var/log/secure):
Apr 30 10:58:18 SBSMTPNV03 postfix/smtpd[17554]: auxpropfunc error
invalid parameter supplied
Apr 30 10:58:18 SBSMTPNV03 postfix/smtpd[17554]: _sasl_plugin_load
failed on sasl_auxprop_plug_init for plugin: ldapdb
As was mentioned previously, these are not relevant to the problem. You can
suppress those errors by adding this to your /etc/sasl2/smtpd.conf:
auxprop_plugin: sasldb
This is what is shown in the postfix log:
Apr 30 10:58:18 SBSMTPNV03 postfix/smtpd[17554]: warning: SASL
authentication failure: GSSAPI Error: Unspecified GSS failure. Minor
code may provide more information ()
Apr 30 10:58:18 SBSMTPNV03 postfix/smtpd[17554]: warning:
nvit01b.EXAMPLE.com[10.20.2.0]: SASL GSSAPI authentication failed:
generic failure
When I try testing my SASL configuration with the sample-server and
sample client I get the same message as when Postfix tries to
authenticate with SASL:
Along my path at trying to figure this out, and referring to another
tread on this list, I tried this:
# ldapwhoami -Y GSSAPI -D "CN=Matthew Larsen,OU=IT,OU=SRS,OU=Users,OU=SITENAME,OU=_Corporate,DC=EXAMPLE,DC=COM"
-H ldap://10.20.1.3
SASL/GSSAPI authentication started
SASL username: MrUser@xxxxxxxxxxx
SASL SSF: 56
SASL data security layer installed.
u:EXAMPLE\MrUser
Your -D parameter is ignored here. Your authc identity should be derived
via your ticket.
On this system, try using smtptest, which is distributed with cyrus imapd:
smtptest -m GSSAPI <hostname>
Here's some supporting information to fill in information gaps:
/////////////////
# saslauthd -v
saslauthd 2.1.23
authentication mechanisms: getpwent kerberos5 pam rimap shadow ldap
I've also tried adding to my Postfix main.cf file
import_environment = KRB5_KTNAME=FILE:/etc/postfix/smtp.keytab
If your cyrus gssapi plugin was compiled against heimdal, you may need to
add this to your /etc/sasl2/smtpd.conf instead:
keytab: /etc/postfix/smtp.keytab
# saslfinger -s
saslfinger - postfix Cyrus sasl configuration Tue Apr 30 10:47:46 PDT 2013
version: 1.0.2
mode: server-side SMTP AUTH
-- basics --
Postfix: 2.6.6
System: CentOS release 6.4 (Final)
-- smtpd is linked to --
libsasl2.so.2 => /usr/lib64/libsasl2.so.2 (0x00007f917a6a2000)
-- active SMTP AUTH and TLS parameters for smtpd --
broken_sasl_auth_clients = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $mydomain
smtpd_sasl_security_options = noanonymous,noplaintext
-- listing of /usr/lib64/sasl2 --
total 432
drwxr-xr-x. 2 root root 4096 Apr 23 15:49 .
dr-xr-xr-x. 27 root root 20480 Apr 23 16:56 ..
-rwxr-xr-x. 1 root root 18776 Nov 27 03:49 libanonymous.so
-rwxr-xr-x. 1 root root 18776 Nov 27 03:49 libanonymous.so.2
-rwxr-xr-x. 1 root root 18776 Nov 27 03:49 libanonymous.so.2.0.23
-rwxr-xr-x. 1 root root 31256 Nov 27 03:49 libgssapiv2.so
-rwxr-xr-x. 1 root root 31256 Nov 27 03:49 libgssapiv2.so.2
-rwxr-xr-x. 1 root root 31256 Nov 27 03:49 libgssapiv2.so.2.0.23
-rwxr-xr-x. 1 root root 18784 Nov 27 03:49 libldapdb.so
-rwxr-xr-x. 1 root root 18784 Nov 27 03:49 libldapdb.so.2
-rwxr-xr-x. 1 root root 18784 Nov 27 03:49 libldapdb.so.2.0.23
-rwxr-xr-x. 1 root root 18808 Nov 27 03:49 liblogin.so
-rwxr-xr-x. 1 root root 18808 Nov 27 03:49 liblogin.so.2
-rwxr-xr-x. 1 root root 18808 Nov 27 03:49 liblogin.so.2.0.23
-rwxr-xr-x. 1 root root 18808 Nov 27 03:49 libplain.so
-rwxr-xr-x. 1 root root 18808 Nov 27 03:49 libplain.so.2
-rwxr-xr-x. 1 root root 18808 Nov 27 03:49 libplain.so.2.0.23
-rwxr-xr-x. 1 root root 22784 Nov 27 03:49 libsasldb.so
-rwxr-xr-x. 1 root root 22784 Nov 27 03:49 libsasldb.so.2
-rwxr-xr-x. 1 root root 22784 Nov 27 03:49 libsasldb.so.2.0.23
-- listing of /etc/sasl2 --
total 12
drwxr-xr-x. 2 root root 4096 Apr 24 15:22 .
drwxr-xr-x. 61 root root 4096 Apr 29 16:46 ..
-rw-r--r-- 1 root root 69 Apr 23 11:30 smtpd.conf
-- content of /etc/sasl2/smtpd.conf --
log_level: 6
pwcheck_method: saslauthd
mech_list: gssapi plain login
-- active services in /etc/postfix/master.cf --
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
smtp inet n - n - - smtpd
pickup fifo n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr fifo n - n 300 1 qmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - n - - smtp
relay unix - - n - - smtp
-o smtp_fallback_relay=
showq unix n - n - - showq
error unix - - n - - error
retry unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
-- mechanisms on localhost --
-- end of saslfinger output --
Kerberos config file:
# cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
EXAMPLE.COM = {
kdc = dcnv01.EXAMPLE.com
admin_server = dcnv01.EXAMPLE.com
default_domain = EXAMPLE.com
}
[domain_realm]
.EXAMPLE.com = EXAMPLE.COM
EXAMPLE.com = EXAMPLE.COM
[appdefaults]
pam = {
debug = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
}
--
Dan White
