Getting Postfix to work with cyrus-sasl GSSAPI mechanism

Dan White dwhite at olp.net
Wed May 1 10:44:56 EDT 2013 

On 04/30/13 11:45 -0700, Matthew Larsen wrote:
>I'm trying to get Postfix to authenticate mail clients on our Active 
>Directory domain with the GSSAPI mechanism.  I'm fairly sure I've got 
>something wrong with the sasl configuration, and I'm hoping to get 
>some pointers on what I might be doing wrong.

>C:\Users\MrUser\Documents>klist

>Cached Tickets: (2)

>* Client receives a messages saying, "S: 535 5.7.8 Error: 
>authentication falied: generic failure"

Verify gssapi support was compiled as a shared library or was statically
compiled into your libsasl2 library. Typically you would verify that with
pluginviewer, if it's available.

>When this happens this is shown in my authentication log (/var/log/secure):
>
>Apr 30 10:58:18 SBSMTPNV03 postfix/smtpd[17554]: auxpropfunc error 
>invalid parameter supplied
>Apr 30 10:58:18 SBSMTPNV03 postfix/smtpd[17554]: _sasl_plugin_load 
>failed on sasl_auxprop_plug_init for plugin: ldapdb

As was mentioned previously, these are not relevant to the problem. You can
suppress those errors by adding this to your /etc/sasl2/smtpd.conf:

auxprop_plugin: sasldb

>This is what is shown in the postfix log:
>
>Apr 30 10:58:18 SBSMTPNV03 postfix/smtpd[17554]: warning: SASL 
>authentication failure: GSSAPI Error: Unspecified GSS failure.  Minor 
>code may provide more information ()
>Apr 30 10:58:18 SBSMTPNV03 postfix/smtpd[17554]: warning: 
>nvit01b.EXAMPLE.com[10.20.2.0]: SASL GSSAPI authentication failed: 
>generic failure

>When I try testing my SASL configuration with the sample-server and 
>sample client I get the same message as when Postfix tries to 
>authenticate with SASL:
>
>Along my path at trying to figure this out, and referring to another 
>tread on this list, I tried this:
>
># ldapwhoami -Y GSSAPI -D "CN=Matthew Larsen,OU=IT,OU=SRS,OU=Users,OU=SITENAME,OU=_Corporate,DC=EXAMPLE,DC=COM" 
>-H ldap://10.20.1.3
>SASL/GSSAPI authentication started
>SASL username: MrUser at EXAMPLE.COM
>SASL SSF: 56
>SASL data security layer installed.
>u:EXAMPLE\MrUser

Your -D parameter is ignored here. Your authc identity should be derived
via your ticket.

On this system, try using smtptest, which is distributed with cyrus imapd:

smtptest -m GSSAPI <hostname>

>Here's some supporting information to fill in information gaps:
>
>/////////////////
>
># saslauthd -v
>saslauthd 2.1.23
>authentication mechanisms: getpwent kerberos5 pam rimap shadow ldap
>
>
>I've also tried adding to my Postfix main.cf file
>import_environment = KRB5_KTNAME=FILE:/etc/postfix/smtp.keytab

If your cyrus gssapi plugin was compiled against heimdal, you may need to
add this to your /etc/sasl2/smtpd.conf instead:

keytab: /etc/postfix/smtp.keytab

># saslfinger -s
>saslfinger - postfix Cyrus sasl configuration Tue Apr 30 10:47:46 PDT 2013
>version: 1.0.2
>mode: server-side SMTP AUTH
>
>-- basics --
>Postfix: 2.6.6
>System: CentOS release 6.4 (Final)
>
>-- smtpd is linked to --
>        libsasl2.so.2 => /usr/lib64/libsasl2.so.2 (0x00007f917a6a2000)
>
>-- active SMTP AUTH and TLS parameters for smtpd --
>broken_sasl_auth_clients = yes
>smtpd_sasl_auth_enable = yes
>smtpd_sasl_local_domain = $mydomain
>smtpd_sasl_security_options = noanonymous,noplaintext
>
>
>-- listing of /usr/lib64/sasl2 --
>total 432
>drwxr-xr-x.  2 root root  4096 Apr 23 15:49 .
>dr-xr-xr-x. 27 root root 20480 Apr 23 16:56 ..
>-rwxr-xr-x.  1 root root 18776 Nov 27 03:49 libanonymous.so
>-rwxr-xr-x.  1 root root 18776 Nov 27 03:49 libanonymous.so.2
>-rwxr-xr-x.  1 root root 18776 Nov 27 03:49 libanonymous.so.2.0.23
>-rwxr-xr-x.  1 root root 31256 Nov 27 03:49 libgssapiv2.so
>-rwxr-xr-x.  1 root root 31256 Nov 27 03:49 libgssapiv2.so.2
>-rwxr-xr-x.  1 root root 31256 Nov 27 03:49 libgssapiv2.so.2.0.23
>-rwxr-xr-x.  1 root root 18784 Nov 27 03:49 libldapdb.so
>-rwxr-xr-x.  1 root root 18784 Nov 27 03:49 libldapdb.so.2
>-rwxr-xr-x.  1 root root 18784 Nov 27 03:49 libldapdb.so.2.0.23
>-rwxr-xr-x.  1 root root 18808 Nov 27 03:49 liblogin.so
>-rwxr-xr-x.  1 root root 18808 Nov 27 03:49 liblogin.so.2
>-rwxr-xr-x.  1 root root 18808 Nov 27 03:49 liblogin.so.2.0.23
>-rwxr-xr-x.  1 root root 18808 Nov 27 03:49 libplain.so
>-rwxr-xr-x.  1 root root 18808 Nov 27 03:49 libplain.so.2
>-rwxr-xr-x.  1 root root 18808 Nov 27 03:49 libplain.so.2.0.23
>-rwxr-xr-x.  1 root root 22784 Nov 27 03:49 libsasldb.so
>-rwxr-xr-x.  1 root root 22784 Nov 27 03:49 libsasldb.so.2
>-rwxr-xr-x.  1 root root 22784 Nov 27 03:49 libsasldb.so.2.0.23
>
>-- listing of /etc/sasl2 --
>total 12
>drwxr-xr-x.  2 root root 4096 Apr 24 15:22 .
>drwxr-xr-x. 61 root root 4096 Apr 29 16:46 ..
>-rw-r--r--   1 root root   69 Apr 23 11:30 smtpd.conf
>
>
>
>
>-- content of /etc/sasl2/smtpd.conf --
>log_level: 6
>pwcheck_method: saslauthd
>mech_list: gssapi plain login
>
>
>-- active services in /etc/postfix/master.cf --
># service type  private unpriv  chroot  wakeup  maxproc command + args
>#               (yes)   (yes)   (yes)   (never) (100)
>smtp      inet  n       -       n       -       -       smtpd
>pickup    fifo  n       -       n       60      1       pickup
>cleanup   unix  n       -       n       -       0       cleanup
>qmgr      fifo  n       -       n       300     1       qmgr
>tlsmgr    unix  -       -       n       1000?   1       tlsmgr
>rewrite   unix  -       -       n       -       -       trivial-rewrite
>bounce    unix  -       -       n       -       0       bounce
>defer     unix  -       -       n       -       0       bounce
>trace     unix  -       -       n       -       0       bounce
>verify    unix  -       -       n       -       1       verify
>flush     unix  n       -       n       1000?   0       flush
>proxymap  unix  -       -       n       -       -       proxymap
>proxywrite unix -       -       n       -       1       proxymap
>smtp      unix  -       -       n       -       -       smtp
>relay     unix  -       -       n       -       -       smtp
>        -o smtp_fallback_relay=
>showq     unix  n       -       n       -       -       showq
>error     unix  -       -       n       -       -       error
>retry     unix  -       -       n       -       -       error
>discard   unix  -       -       n       -       -       discard
>local     unix  -       n       n       -       -       local
>virtual   unix  -       n       n       -       -       virtual
>lmtp      unix  -       -       n       -       -       lmtp
>anvil     unix  -       -       n       -       1       anvil
>scache    unix  -       -       n       -       1       scache
>
>-- mechanisms on localhost --
>
>-- end of saslfinger output --
>
>Kerberos config file:
>
># cat /etc/krb5.conf
>[logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
>
>[libdefaults]
> default_realm = EXAMPLE.COM
> dns_lookup_realm = false
> dns_lookup_kdc = false
> ticket_lifetime = 24h
> renew_lifetime = 7d
> forwardable = true
>
>[realms]
> EXAMPLE.COM = {
>  kdc = dcnv01.EXAMPLE.com
>  admin_server = dcnv01.EXAMPLE.com
>  default_domain = EXAMPLE.com
> }
>
>[domain_realm]
> .EXAMPLE.com = EXAMPLE.COM
> EXAMPLE.com = EXAMPLE.COM
>
>
>[appdefaults]
> pam = {
>        debug = false
>        ticket_lifetime = 24h
>        renew_lifetime = 7d
>        forwardable = true
> }

-- 
Dan White

More information about the Cyrus-sasl mailing list