[39043] in Kerberos
Debugging why KRB5_KTNAME isn't working
daemon@ATHENA.MIT.EDU (Brian J. Murrell)
Thu Jan 27 12:05:35 2022
Message-ID: <4f4a71e295df1a7aa4e53475af50164af7cbe86a.camel@interlinx.bc.ca>
From: "Brian J. Murrell" <brian@interlinx.bc.ca>
To: <kerberos@mit.edu>
Date: Thu, 27 Jan 2022 12:01:48 -0500
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
I am trying to debug why having KRB5_KTNAME set in the environment of a
process is not actually making that process use that keytab file but
instead is using the default /etc/krb5.keytab.
The process is Postfix's SMTP deamon (smtpd).
I have confirmed that the method of setting the environment variable is
working:
# ps -ef | grep smtpd
postfix 3726845 3515138 0 11:56 ? 00:00:00 smtpd -n smtp -t inet -u -o stress= -s 2
# tr '\0' '\n' < /proc/3726845/environ
KRB5_KTNAME=/etc/postfix/smtp.keytab
KRB5_CLIENT_KTNAME=/etc/postfix/smtp.keytab
KRB5_TRACE=/tmp/smtpd_krb5_trace
GENERATION=55
However when looking at what the process is actually trying to open
with strace, it's clear that it's not using /etc/postfix/smtp.keytab:
# grep keytab /tmp/smtpd.strace6
3726845 openat(AT_FDCWD, "/etc/krb5.keytab", O_RDONLY) = -1 EACCES (Permission denied)
3726845 openat(AT_FDCWD, "/etc/krb5.keytab", O_RDONLY) = -1 EACCES (Permission denied)
As you can see, I did attempt to try to trace the kerberos library with
KRB5_TRACE=/tmp/smtpd_krb5_trace
but that file does not actually get anything written to it:
-rwxrwxrwx. 1 root root 0 Jan 27 11:27 smtpd_krb5_trace
and the above strace doesn't show any sign of trying to open or even
stat the file:
# grep smtpd_krb5_trace /tmp/smtpd.strace6
[nothing]
Kerberos version appears to be MIT 1.18.2.
Any thoughts/ideas?
Cheers,
b.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos