GSSAPI / SASL problems of sasl2-bin on Ubuntu 10.04.4

John Mok jmok at attglobal.net
Mon Jul 9 09:10:31 EDT 2012 

Hi Dan,

Thanks for your prompt reply.

 >Your postfix process is retrieving information, such as postmaps, from an
 >openldap server, using gssapi authentication? Or are you retreiving your
 >postmaps from an Active Directory server?

Yes, I retrieve postmaps from OpenLDAP server using GSSAPI authentication.

 >klist (verify that you have a TGT)
 >
 >ldapwhoami -O maxssf=0 -Y GSSAPI ...
 >
 >and use wireshark to capture the interaction, which will show you any
 >errors that the KDC may be providing over the network.

I captured the packets and did not see any particular Kerberos errors 
from the KDC.

 >Is the keytab file being used by postfix, by openldap, or both?
 >
 >Where is your keytab file located? If it is not located in
 >/etc/krb5.keytab, then you will need to add some configuration for

I put the service principals in the default keytab file at 
/etc/krb5.keytab, and the OpenLDAP user have read access to the keytab.

I succeeded to make it working on Ubuntu 8.04.4, any idea why it did not 
work out on Ubuntu 10.04.4?

Thanks a lot.

John Mok


On 7/6/2012 11:54 PM, Dan White wrote:
> On 07/06/12 23:11 +0800, John Mok wrote:
>> Hi,
>>
>> I have succeeded using GSSAPI SASL for OpenLDAP + Postfix access on 
>> Ubuntu 8.04.4. When I made the same setup on Ubuntu 10.04.4 :-
>
> Your postfix process is retrieving information, such as postmaps, from an
> openldap server, using gssapi authentication? Or are you retreiving your
> postmaps from an Active Directory server?
>
>>> ldapwhoami -Y GSSAPI
>>
>> it returned an error (80).
>>
>> sasl2-bin 2.1.23
>> libsasl2-modules 2.1.23
>> libsasl2-modules-gssapi-heimdal 2.1.23
>>
>> When I tried libsasl2-modules-gssapi-mit, it returned (key table 
>> entry not found). When I tried libsasl2-modules-gssapi-heimdal, it 
>> returned "No credentials were supplied, or the credentials were 
>> unavailable or inaccessible ...". I checked with ktutil list and it 
>> listed the kerberos principals from Windows 2003 correctly.
>
> for the client side ldapwhoami attempt, try:
>
> klist (verify that you have a TGT)
>
> ldapwhoami -O maxssf=0 -Y GSSAPI ...
>
> and use wireshark to capture the interaction, which will show you any
> errors that the KDC may be providing over the network.
>
> adding '-d -1' may also be helpful. Check your syslog output (auth
> facility) for any sasl errors.
>
> Is the keytab file being used by postfix, by openldap, or both?
>
> Where is your keytab file located? If it is not located in
> /etc/krb5.keytab, then you will need to add some configuration for the
> gssapi plugin to find its location. If using the heimdal plugin,
> create a sasl config file (e.g. /usr/lib/sasl2/slapd.conf) with:
>
> keytab: /path/to/file.keytab
>
> If you're using the mit plugin, you'll specify the location using the
> KRB5_KTNAME environment variable.
>

More information about the Cyrus-sasl mailing list