[39052] in Kerberos
Re: Debugging why KRB5_KTNAME isn't working
daemon@ATHENA.MIT.EDU (Simo Sorce)
Thu Jan 27 15:56:29 2022
Message-ID: <e144edcc40c76d8a0110eb21702dc94274da71c2.camel@redhat.com>
From: Simo Sorce <simo@redhat.com>
To: "Brian J. Murrell" <brian@interlinx.bc.ca>, kerberos@mit.edu
Date: Thu, 27 Jan 2022 15:53:10 -0500
In-Reply-To: <91d4b70f6566927b0f81102193232ef8f330981a.camel@interlinx.bc.ca>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
On Thu, 2022-01-27 at 15:34 -0500, Brian J. Murrell wrote:
> On Thu, 2022-01-27 at 20:31 +0100, Jochen Kellner wrote:
> >
> > I once configured postfix to uses sasl:
> >
> > main.cf:83:smtpd_sasl_auth_enable = yes
>
> I do have that already.
>
> > And inĀ /etc/postfix/sasl/smtpd.conf:
>
> Hrm. I don't have this file. But I never did and this all worked
> prior to a few days ago when the machine was upgraded from EL7 to EL8,
> which unsurprisingly upgrades a lot of things in big jumps. So maybe
> this is now necessary.
>
> Ahh. Looking at smtpd's strace output, it seems it's looking in
> /etc/sasl2/smtpd.conf on my machine and I do have that file with:
>
> pwcheck_method: saslauthd
> mech_list: gssapi plain login
>
> > keytab: /etc/smtp.keytab
>
> And indeed, winner winner, chicken dinner! Adding a "keytab:
> /etc/postfix/smtp.keytab" to that file is making smtpd use the correct
> keytab file now.
>
> So this must all be new behavior in some upgraded versions.
The keytab option for the cyrus-sasl gssapi plugin is somewhat new
(considering that RHEL-8 is almost 3 years old now) and is probably
causing the change in behavior wrt environment variables that you are
experiencing.
--
Simo Sorce
RHEL Crypto Team
Red Hat, Inc
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
