Getting Postfix to work with cyrus-sasl GSSAPI mechanism

Matthew Larsen utegrad at gmail.com
Tue Apr 30 14:45:58 EDT 2013


I'm trying to get Postfix to authenticate mail clients on our Active 
Directory domain with the GSSAPI mechanism.  I'm fairly sure I've got 
something wrong with the sasl configuration, and I'm hoping to get some 
pointers on what I might be doing wrong.

After comparing notes with other threads and websites, the content of 
the logs, and the results of a ldapwhoami test I'm wondering if I'm 
missing an LDAP component in my configuration somewhere?

Since the results of trying to the sasl sample-server give similar log 
messages to what Postfix produces, I'm guessing that if I can figure out 
what satisfies the sample-server application I can also satisfy Postfix.

referencing:
http://asg.andrew.cmu.edu/archive/message.php?mailbox=archive.cyrus-sasl&msg=9939
http://asg.andrew.cmu.edu/archive/message.php?mailbox=archive.cyrus-sasl&searchterm=GSSAPI&msg=282
http://asg.andrew.cmu.edu/archive/message.php?mailbox=archive.cyrus-sasl&msg=9928
http://cyrusimap.web.cmu.edu/docs/cyrus-sasl/2.1.23/gssapi.php

Here's how I think it's breaking down:

* Client gets a TGT from the kdc - good
* Client starts a connection with the Postfix smtpd - good
* Postfix responds with supported AUTH mechanisms - good
      - Wireshark shows AUTH GSSAPI in the response to EHLO
* The client then requests the smtp ticket from the kdc - good

******  kerberos tickets on the client after the auth attempt   *****
C:\Users\MrUser\Documents>klist

Current LogonId is 0:0x31e1c

Cached Tickets: (2)

#0>     Client: MrUser @ EXAMPLE.COM
         Server: krbtgt/EXAMPLE.COM @ EXAMPLE.COM
         KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
         Ticket Flags 0x40e00000 -> forwardable renewable initial 
pre_authent
         Start Time: 4/30/2013 10:57:01 (local)
         End Time:   4/30/2013 20:57:01 (local)
         Renew Time: 6/3/2013 10:57:01 (local)
         Session Key Type: AES-256-CTS-HMAC-SHA1-96


#1>     Client: MrUser @ EXAMPLE.COM
         Server: smtp/sbsmtpnv03.EXAMPLE.com @ EXAMPLE.COM
         KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
         Ticket Flags 0x40a00000 -> forwardable renewable pre_authent
         Start Time: 4/30/2013 10:58:17 (local)
         End Time:   4/30/2013 20:57:01 (local)
         Renew Time: 6/3/2013 10:57:01 (local)
         Session Key Type: RSADSI RC4-HMAC(NT)
*****

* Client responds with AUTH GSSAPI ...  a long text string ...
* Client receives a messages saying, "S: 535 5.7.8 Error: authentication 
falied: generic failure"

When this happens this is shown in my authentication log (/var/log/secure):

Apr 30 10:58:18 SBSMTPNV03 postfix/smtpd[17554]: auxpropfunc error 
invalid parameter supplied
Apr 30 10:58:18 SBSMTPNV03 postfix/smtpd[17554]: _sasl_plugin_load 
failed on sasl_auxprop_plug_init for plugin: ldapdb

This is what is shown in the postfix log:

Apr 30 10:58:18 SBSMTPNV03 postfix/smtpd[17554]: warning: SASL 
authentication failure: GSSAPI Error: Unspecified GSS failure.  Minor 
code may provide more information ()
Apr 30 10:58:18 SBSMTPNV03 postfix/smtpd[17554]: warning: 
nvit01b.EXAMPLE.com[10.20.2.0]: SASL GSSAPI authentication failed: 
generic failure

When I try testing my SASL configuration with the sample-server and 
sample client I get the same message as when Postfix tries to 
authenticate with SASL:

# sasl2-sample-server -m GSSAPI -s smtp
trying 2, 1, 6
trying 10, 1, 6
socket: Address family not supported by protocol

Apr 30 11:13:42 SBSMTPNV03 sasl2-sample-server: auxpropfunc error 
invalid parameter supplied
Apr 30 11:13:42 SBSMTPNV03 sasl2-sample-server: _sasl_plugin_load failed 
on sasl_auxprop_plug_init for plugin: ldapdb

Along my path at trying to figure this out, and referring to another 
tread on this list, I tried this:

# ldapwhoami -Y GSSAPI -D "CN=Matthew 
Larsen,OU=IT,OU=SRS,OU=Users,OU=SITENAME,OU=_Corporate,DC=EXAMPLE,DC=COM" -H 
ldap://10.20.1.3
SASL/GSSAPI authentication started
SASL username: MrUser at EXAMPLE.COM
SASL SSF: 56
SASL data security layer installed.
u:EXAMPLE\MrUser

# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: MrUser at EXAMPLE.COM

Valid starting     Expires            Service principal
04/30/13 09:54:57  04/30/13 19:55:01  krbtgt/EXAMPLE.COM at EXAMPLE.COM
         renew until 05/07/13 09:54:57
04/30/13 10:20:39  04/30/13 19:55:01  ldap/dcnv02.EXAMPLE.com at EXAMPLE.COM
         renew until 05/07/13 09:54:57

So the kerberos exchange must be working to some extent on the system.


////////////////

Here's some supporting information to fill in information gaps:

/////////////////

# saslauthd -v
saslauthd 2.1.23
authentication mechanisms: getpwent kerberos5 pam rimap shadow ldap


# klist -ke
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- 
--------------------------------------------------------------------------
    4 smtp/SBSMTPNV03.EXAMPLE.com at EXAMPLE.com (des-cbc-crc)
    4 smtp/SBSMTPNV03.EXAMPLE.com at EXAMPLE.com (des-cbc-md5)
    4 smtp/SBSMTPNV03.EXAMPLE.com at EXAMPLE.com (arcfour-hmac)
    4 smtp/SBSMTPNV03.EXAMPLE.com at EXAMPLE.com (aes256-cts-hmac-sha1-96)
    4 smtp/SBSMTPNV03.EXAMPLE.com at EXAMPLE.com (aes128-cts-hmac-sha1-96)
[root at SBSMTPNV03 sample]#

I've also tried adding to my Postfix main.cf file
import_environment = KRB5_KTNAME=FILE:/etc/postfix/smtp.keytab

# klist -ke /etc/postfix/smtp.keytab
Keytab name: FILE:/etc/postfix/smtp.keytab
KVNO Principal
---- 
--------------------------------------------------------------------------
    4 smtp/SBSMTPNV03.EXAMPLE.com at EXAMPLE.com (des-cbc-crc)
    4 smtp/SBSMTPNV03.EXAMPLE.com at EXAMPLE.com (des-cbc-md5)
    4 smtp/SBSMTPNV03.EXAMPLE.com at EXAMPLE.com (arcfour-hmac)
    4 smtp/SBSMTPNV03.EXAMPLE.com at EXAMPLE.com (aes256-cts-hmac-sha1-96)
    4 smtp/SBSMTPNV03.EXAMPLE.com at EXAMPLE.com (aes128-cts-hmac-sha1-96)





# ldd /usr/libexec/postfix/smtpd | grep libsasl
         libsasl2.so.2 => /usr/lib64/libsasl2.so.2 (0x00007f4146578000)

# saslfinger -s
saslfinger - postfix Cyrus sasl configuration Tue Apr 30 10:47:46 PDT 2013
version: 1.0.2
mode: server-side SMTP AUTH

-- basics --
Postfix: 2.6.6
System: CentOS release 6.4 (Final)

-- smtpd is linked to --
         libsasl2.so.2 => /usr/lib64/libsasl2.so.2 (0x00007f917a6a2000)

-- active SMTP AUTH and TLS parameters for smtpd --
broken_sasl_auth_clients = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $mydomain
smtpd_sasl_security_options = noanonymous,noplaintext


-- listing of /usr/lib64/sasl2 --
total 432
drwxr-xr-x.  2 root root  4096 Apr 23 15:49 .
dr-xr-xr-x. 27 root root 20480 Apr 23 16:56 ..
-rwxr-xr-x.  1 root root 18776 Nov 27 03:49 libanonymous.so
-rwxr-xr-x.  1 root root 18776 Nov 27 03:49 libanonymous.so.2
-rwxr-xr-x.  1 root root 18776 Nov 27 03:49 libanonymous.so.2.0.23
-rwxr-xr-x.  1 root root 31256 Nov 27 03:49 libgssapiv2.so
-rwxr-xr-x.  1 root root 31256 Nov 27 03:49 libgssapiv2.so.2
-rwxr-xr-x.  1 root root 31256 Nov 27 03:49 libgssapiv2.so.2.0.23
-rwxr-xr-x.  1 root root 18784 Nov 27 03:49 libldapdb.so
-rwxr-xr-x.  1 root root 18784 Nov 27 03:49 libldapdb.so.2
-rwxr-xr-x.  1 root root 18784 Nov 27 03:49 libldapdb.so.2.0.23
-rwxr-xr-x.  1 root root 18808 Nov 27 03:49 liblogin.so
-rwxr-xr-x.  1 root root 18808 Nov 27 03:49 liblogin.so.2
-rwxr-xr-x.  1 root root 18808 Nov 27 03:49 liblogin.so.2.0.23
-rwxr-xr-x.  1 root root 18808 Nov 27 03:49 libplain.so
-rwxr-xr-x.  1 root root 18808 Nov 27 03:49 libplain.so.2
-rwxr-xr-x.  1 root root 18808 Nov 27 03:49 libplain.so.2.0.23
-rwxr-xr-x.  1 root root 22784 Nov 27 03:49 libsasldb.so
-rwxr-xr-x.  1 root root 22784 Nov 27 03:49 libsasldb.so.2
-rwxr-xr-x.  1 root root 22784 Nov 27 03:49 libsasldb.so.2.0.23

-- listing of /etc/sasl2 --
total 12
drwxr-xr-x.  2 root root 4096 Apr 24 15:22 .
drwxr-xr-x. 61 root root 4096 Apr 29 16:46 ..
-rw-r--r--   1 root root   69 Apr 23 11:30 smtpd.conf




-- content of /etc/sasl2/smtpd.conf --
log_level: 6
pwcheck_method: saslauthd
mech_list: gssapi plain login


-- active services in /etc/postfix/master.cf --
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (yes)   (never) (100)
smtp      inet  n       -       n       -       -       smtpd
pickup    fifo  n       -       n       60      1       pickup
cleanup   unix  n       -       n       -       0       cleanup
qmgr      fifo  n       -       n       300     1       qmgr
tlsmgr    unix  -       -       n       1000?   1       tlsmgr
rewrite   unix  -       -       n       -       -       trivial-rewrite
bounce    unix  -       -       n       -       0       bounce
defer     unix  -       -       n       -       0       bounce
trace     unix  -       -       n       -       0       bounce
verify    unix  -       -       n       -       1       verify
flush     unix  n       -       n       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       n       -       -       smtp
relay     unix  -       -       n       -       -       smtp
         -o smtp_fallback_relay=
showq     unix  n       -       n       -       -       showq
error     unix  -       -       n       -       -       error
retry     unix  -       -       n       -       -       error
discard   unix  -       -       n       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       n       -       -       lmtp
anvil     unix  -       -       n       -       1       anvil
scache    unix  -       -       n       -       1       scache

-- mechanisms on localhost --

-- end of saslfinger output --

Kerberos config file:

# cat /etc/krb5.conf
[logging]
  default = FILE:/var/log/krb5libs.log
  kdc = FILE:/var/log/krb5kdc.log
  admin_server = FILE:/var/log/kadmind.log

[libdefaults]
  default_realm = EXAMPLE.COM
  dns_lookup_realm = false
  dns_lookup_kdc = false
  ticket_lifetime = 24h
  renew_lifetime = 7d
  forwardable = true

[realms]
  EXAMPLE.COM = {
   kdc = dcnv01.EXAMPLE.com
   admin_server = dcnv01.EXAMPLE.com
   default_domain = EXAMPLE.com
  }

[domain_realm]
  .EXAMPLE.com = EXAMPLE.COM
  EXAMPLE.com = EXAMPLE.COM


[appdefaults]
  pam = {
         debug = false
         ticket_lifetime = 24h
         renew_lifetime = 7d
         forwardable = true
  }




More information about the Cyrus-sasl mailing list