I am trying to debug why having KRB5_KTNAME set in the environment of a >process is not actually making that process use that keytab file but
instead is using the default /etc/krb5.keytab.
The process is Postfix's SMTP deamon (smtpd).
[...]
Any thoughts/ideas?
I am trying to debug why having KRB5_KTNAME set in the environment of a process is not actually making that process use that keytab file but
instead is using the default /etc/krb5.keytab.
Is it possible Postfix is clearing out the environment at startup?
a very brief
test suggests to me that "environ" contains the environment at
process
start and modification of the current environment isn't reflected
there,
so if Postfix was resetting the environment you wouldn't know it
Is it possible Postfix is clearing out the environment at startup?
As anything, I suppose it is possible. It would be doing so in
violation of exactly the purpose of the mechanism that is being used to
set the environment though.
Of course, the program itself can provide configuration for the keytab
file. I couldn't find any gss_ or krb5_ calls in the Postfix source
code (looking at Viktor Dukhovni's git mirror), so I don't have any
immediate insight as to whether that's currently possible or what would
need to change.
import_environment (default: see postconf -d output)
Is that what you're using?
It looks to me that if the variable isn't
listed in the import_environment configuration entry, it doesn't make
it very far and is removed by the function clean_env().
(If you want to demonstrate to others how KRB5_KTNAME is supposed to
work, just include the output of "env KRB5_KTNAME=/dev/stdout kinit"
or
some other Kerberos program).
Yes. That is the "for-purpose" mechanism that I alluded to earlier
which is why I posited that if smtpd was clearing the environment it
was doing so in violation of the specific mechanism that was supposed
to make this all work.
On Thu, 2022-01-27 at 20:31 +0100, Jochen Kellner wrote:
I once configured postfix to uses sasl:
main.cf:83:smtpd_sasl_auth_enable = yes
I do have that already.
And inĀ /etc/postfix/sasl/smtpd.conf:
Hrm. I don't have this file. But I never did and this all worked
prior to a few days ago when the machine was upgraded from EL7 to EL8,
which unsurprisingly upgrades a lot of things in big jumps. So maybe
this is now necessary.
Ahh. Looking at smtpd's strace output, it seems it's looking in /etc/sasl2/smtpd.conf on my machine and I do have that file with:
pwcheck_method: saslauthd
mech_list: gssapi plain login
keytab: /etc/smtp.keytab
And indeed, winner winner, chicken dinner! Adding a "keytab: /etc/postfix/smtp.keytab" to that file is making smtpd use the correct
keytab file now.
So this must all be new behavior in some upgraded versions.
I once configured postfix to uses sasl:
main.cf:83:smtpd_sasl_auth_enable = yes
And in /etc/postfix/sasl/smtpd.conf:
keytab: /etc/smtp.keytab
Sysop: | Keyop |
---|---|
Location: | Huddersfield, West Yorkshire, UK |
Users: | 285 |
Nodes: | 16 (2 / 14) |
Uptime: | 64:28:39 |
Calls: | 6,488 |
Calls today: | 1 |
Files: | 12,096 |
Messages: | 5,274,794 |