Getting Postfix to work with cyrus-sasl GSSAPI mechanism
Dan White
dwhite at olp.net
Wed May 1 10:44:56 EDT 2013
On 04/30/13 11:45 -0700, Matthew Larsen wrote:
>I'm trying to get Postfix to authenticate mail clients on our Active
>Directory domain with the GSSAPI mechanism. I'm fairly sure I've got
>something wrong with the sasl configuration, and I'm hoping to get
>some pointers on what I might be doing wrong.
>C:\Users\MrUser\Documents>klist
>Cached Tickets: (2)
>* Client receives a messages saying, "S: 535 5.7.8 Error:
>authentication falied: generic failure"
Verify gssapi support was compiled as a shared library or was statically
compiled into your libsasl2 library. Typically you would verify that with
pluginviewer, if it's available.
>When this happens this is shown in my authentication log (/var/log/secure):
>
>Apr 30 10:58:18 SBSMTPNV03 postfix/smtpd[17554]: auxpropfunc error
>invalid parameter supplied
>Apr 30 10:58:18 SBSMTPNV03 postfix/smtpd[17554]: _sasl_plugin_load
>failed on sasl_auxprop_plug_init for plugin: ldapdb
As was mentioned previously, these are not relevant to the problem. You can
suppress those errors by adding this to your /etc/sasl2/smtpd.conf:
auxprop_plugin: sasldb
>This is what is shown in the postfix log:
>
>Apr 30 10:58:18 SBSMTPNV03 postfix/smtpd[17554]: warning: SASL
>authentication failure: GSSAPI Error: Unspecified GSS failure. Minor
>code may provide more information ()
>Apr 30 10:58:18 SBSMTPNV03 postfix/smtpd[17554]: warning:
>nvit01b.EXAMPLE.com[10.20.2.0]: SASL GSSAPI authentication failed:
>generic failure
>When I try testing my SASL configuration with the sample-server and
>sample client I get the same message as when Postfix tries to
>authenticate with SASL:
>
>Along my path at trying to figure this out, and referring to another
>tread on this list, I tried this:
>
># ldapwhoami -Y GSSAPI -D "CN=Matthew Larsen,OU=IT,OU=SRS,OU=Users,OU=SITENAME,OU=_Corporate,DC=EXAMPLE,DC=COM"
>-H ldap://10.20.1.3
>SASL/GSSAPI authentication started
>SASL username: MrUser at EXAMPLE.COM
>SASL SSF: 56
>SASL data security layer installed.
>u:EXAMPLE\MrUser
Your -D parameter is ignored here. Your authc identity should be derived
via your ticket.
On this system, try using smtptest, which is distributed with cyrus imapd:
smtptest -m GSSAPI <hostname>
>Here's some supporting information to fill in information gaps:
>
>/////////////////
>
># saslauthd -v
>saslauthd 2.1.23
>authentication mechanisms: getpwent kerberos5 pam rimap shadow ldap
>
>
>I've also tried adding to my Postfix main.cf file
>import_environment = KRB5_KTNAME=FILE:/etc/postfix/smtp.keytab
If your cyrus gssapi plugin was compiled against heimdal, you may need to
add this to your /etc/sasl2/smtpd.conf instead:
keytab: /etc/postfix/smtp.keytab
># saslfinger -s
>saslfinger - postfix Cyrus sasl configuration Tue Apr 30 10:47:46 PDT 2013
>version: 1.0.2
>mode: server-side SMTP AUTH
>
>-- basics --
>Postfix: 2.6.6
>System: CentOS release 6.4 (Final)
>
>-- smtpd is linked to --
> libsasl2.so.2 => /usr/lib64/libsasl2.so.2 (0x00007f917a6a2000)
>
>-- active SMTP AUTH and TLS parameters for smtpd --
>broken_sasl_auth_clients = yes
>smtpd_sasl_auth_enable = yes
>smtpd_sasl_local_domain = $mydomain
>smtpd_sasl_security_options = noanonymous,noplaintext
>
>
>-- listing of /usr/lib64/sasl2 --
>total 432
>drwxr-xr-x. 2 root root 4096 Apr 23 15:49 .
>dr-xr-xr-x. 27 root root 20480 Apr 23 16:56 ..
>-rwxr-xr-x. 1 root root 18776 Nov 27 03:49 libanonymous.so
>-rwxr-xr-x. 1 root root 18776 Nov 27 03:49 libanonymous.so.2
>-rwxr-xr-x. 1 root root 18776 Nov 27 03:49 libanonymous.so.2.0.23
>-rwxr-xr-x. 1 root root 31256 Nov 27 03:49 libgssapiv2.so
>-rwxr-xr-x. 1 root root 31256 Nov 27 03:49 libgssapiv2.so.2
>-rwxr-xr-x. 1 root root 31256 Nov 27 03:49 libgssapiv2.so.2.0.23
>-rwxr-xr-x. 1 root root 18784 Nov 27 03:49 libldapdb.so
>-rwxr-xr-x. 1 root root 18784 Nov 27 03:49 libldapdb.so.2
>-rwxr-xr-x. 1 root root 18784 Nov 27 03:49 libldapdb.so.2.0.23
>-rwxr-xr-x. 1 root root 18808 Nov 27 03:49 liblogin.so
>-rwxr-xr-x. 1 root root 18808 Nov 27 03:49 liblogin.so.2
>-rwxr-xr-x. 1 root root 18808 Nov 27 03:49 liblogin.so.2.0.23
>-rwxr-xr-x. 1 root root 18808 Nov 27 03:49 libplain.so
>-rwxr-xr-x. 1 root root 18808 Nov 27 03:49 libplain.so.2
>-rwxr-xr-x. 1 root root 18808 Nov 27 03:49 libplain.so.2.0.23
>-rwxr-xr-x. 1 root root 22784 Nov 27 03:49 libsasldb.so
>-rwxr-xr-x. 1 root root 22784 Nov 27 03:49 libsasldb.so.2
>-rwxr-xr-x. 1 root root 22784 Nov 27 03:49 libsasldb.so.2.0.23
>
>-- listing of /etc/sasl2 --
>total 12
>drwxr-xr-x. 2 root root 4096 Apr 24 15:22 .
>drwxr-xr-x. 61 root root 4096 Apr 29 16:46 ..
>-rw-r--r-- 1 root root 69 Apr 23 11:30 smtpd.conf
>
>
>
>
>-- content of /etc/sasl2/smtpd.conf --
>log_level: 6
>pwcheck_method: saslauthd
>mech_list: gssapi plain login
>
>
>-- active services in /etc/postfix/master.cf --
># service type private unpriv chroot wakeup maxproc command + args
># (yes) (yes) (yes) (never) (100)
>smtp inet n - n - - smtpd
>pickup fifo n - n 60 1 pickup
>cleanup unix n - n - 0 cleanup
>qmgr fifo n - n 300 1 qmgr
>tlsmgr unix - - n 1000? 1 tlsmgr
>rewrite unix - - n - - trivial-rewrite
>bounce unix - - n - 0 bounce
>defer unix - - n - 0 bounce
>trace unix - - n - 0 bounce
>verify unix - - n - 1 verify
>flush unix n - n 1000? 0 flush
>proxymap unix - - n - - proxymap
>proxywrite unix - - n - 1 proxymap
>smtp unix - - n - - smtp
>relay unix - - n - - smtp
> -o smtp_fallback_relay=
>showq unix n - n - - showq
>error unix - - n - - error
>retry unix - - n - - error
>discard unix - - n - - discard
>local unix - n n - - local
>virtual unix - n n - - virtual
>lmtp unix - - n - - lmtp
>anvil unix - - n - 1 anvil
>scache unix - - n - 1 scache
>
>-- mechanisms on localhost --
>
>-- end of saslfinger output --
>
>Kerberos config file:
>
># cat /etc/krb5.conf
>[logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
>
>[libdefaults]
> default_realm = EXAMPLE.COM
> dns_lookup_realm = false
> dns_lookup_kdc = false
> ticket_lifetime = 24h
> renew_lifetime = 7d
> forwardable = true
>
>[realms]
> EXAMPLE.COM = {
> kdc = dcnv01.EXAMPLE.com
> admin_server = dcnv01.EXAMPLE.com
> default_domain = EXAMPLE.com
> }
>
>[domain_realm]
> .EXAMPLE.com = EXAMPLE.COM
> EXAMPLE.com = EXAMPLE.COM
>
>
>[appdefaults]
> pam = {
> debug = false
> ticket_lifetime = 24h
> renew_lifetime = 7d
> forwardable = true
> }
--
Dan White
More information about the Cyrus-sasl
mailing list