<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<br>
-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA1<br>
<br>
<br>
On 03/13/2013 10:47 AM, Dale Macartney wrote:<br>
<span style="white-space: pre;">><br>
><br>
> On 03/12/2013 02:05 PM, Anthony Messina wrote:<br>
> > On Tuesday, March 12, 2013 08:53:59 AM Anthony Messina
wrote:<br>
> >> On Tuesday, March 12, 2013 01:50:47 PM Dale
Macartney wrote:<br>
> >>> > # Import environment for Kerberos v5 GSSAPI<br>
> >>> ><br>
> >>> > import_environment =<br>
> >>> ><br>
> >>> > MAIL_CONFIG MAIL_DEBUG MAIL_LOGTAG TZ
XAUTHORITY DISPLAY<br>
> >>><br>
> >>> LANG=C<br>
> >>><br>
> >>> > KRB5_KTNAME=/etc/postfix/smtp.keytab<br>
> >>><br>
> >>><br>
> >>> Anthony, where were you declaring the above? In
Squid, I've added the<br>
> >>> keytab to the service startup script. Presumably
it would be somewhere<br>
> >>> similar?><br>
> >>><br>
> >>><br>
> >>> Dale<br>
> >><br>
> >> In /etc/postfix/main.cf<br>
><br>
> > Sorry, I sent too fast. from man (5) postconf:<br>
><br>
> > import_environment (default: see postconf -d output)<br>
> > The list of environment parameters that a Postfix
process will import<br>
> > from a non-Postfix parent process. Examples of relevant
parameters:<br>
><br>
> > TZ Needed for sane time keeping on most System-V-ish
systems.<br>
><br>
> > DISPLAY<br>
> > Needed for debugging Postfix daemons with an X-windows
debugger.<br>
><br>
> > XAUTHORITY<br>
> > Needed for debugging Postfix daemons with an X-windows
debugger.<br>
><br>
> > MAIL_CONFIG<br>
> > Needed to make "postfix -c" work.<br>
><br>
> > Specify a list of names and/or name=value pairs,
separated by<br>
> > whitespace or comma. The name=value form is supported
with Postfix version 2.1<br>
> > and later.<br>
> Things aren't really playing ball here....<br>
><br>
> I've configured postfix from default install with the below
changes..<br>
><br>
> Am I missing something?<br>
><br>
> ipa-getkeytab -s ds01.example.com -p smtp/$(hostname) -k
/etc/postfix/smtp.keytab<br>
> postconf -e 'inet_interfaces = all'<br>
> postconf -e 'mydestination = $myhostname,
localhost.$mydomain, localhost, $mydomain'<br>
> postconf -e 'myorigin = $mydomain'<br>
> postconf -e 'import_environment = MAIL_CONFIG MAIL_DEBUG
MAIL_LOGTAG TZ XAUTHORITY DISPLAY LANG=C
KRB5_KTNAME=/etc/postfix/smtp.keytab'<br>
> postconf -e 'smtpd_recipient_restrictions =
permit_sasl_authenticated, permit_mynetworks,
reject_unauth_destination'<br>
> postconf -e 'smtpd_sasl_auth_enable = yes'<br>
> postconf -e 'smtpd_sasl_security_options = noanonymous'<br>
> postconf -e 'smtpd_sasl_tls_security_options =
$smtpd_sasl_security_options'<br>
><br>
> cat >> /etc/postfix/main.cf << EOF<br>
> virtual_alias_domains = example.com<br>
> virtual_alias_maps = <a class="moz-txt-link-freetext" href="ldap:/etc/postfix/ldap_aliases.cf">ldap:/etc/postfix/ldap_aliases.cf</a><br>
> EOF<br>
><br>
> cat > /etc/postfix/ldap_aliases.cf << EOF<br>
> server_host = ds01.example.com<br>
> search_base = cn=accounts,dc=example,dc=com<br>
> query_filter = (mail=%s)<br>
> result_attribute = uid<br>
> bind = no<br>
> start_tls = yes<br>
> version = 3<br>
> EOF<br>
><br>
> postmap /etc/postfix/ldap_aliases.cf<br>
> restorecon -R /etc/postfix/<br>
><br>
> cat > /etc/sasl2/smtpd.conf << EOF<br>
> pwcheck_method: saslauthd<br>
> mech_list: GSSAPI PLAIN LOGIN<br>
> EOF<br>
><br>
><br>
><br>
> LDAP lookups work perfectly, however kerberos authentication
doesn't seem to want to work. I should mention, I am not using SSL
(yet). Does sasl/gssapi have some form of prereq of SSL by any
chance?<br>
><br>
> Logs from maillog are as follows<br>
><br>
> Mar 12 15:51:27 mail01 postfix/smtpd[26240]: connect from
unknown[10.0.1.101]<br>
> Mar 12 15:51:27 mail01 postfix/smtpd[26240]: warning: SASL
authentication failure: GSSAPI Error: Unspecified GSS failure.
Minor code may provide more information ()<br>
> Mar 12 15:51:27 mail01 postfix/smtpd[26240]: warning:
unknown[10.0.1.101]: SASL GSSAPI authentication failed: generic
failure<br>
> Mar 12 15:51:27 mail01 postfix/smtpd[26240]: disconnect from
unknown[10.0.1.101]<br>
><br>
> Thanks all<br>
></span><br>
<br>
Silly mistake on my part. Simple perms issue with keytab file.<br>
<br>
Below is a working config of postfix with IPA user lookups and
kerberos authenticated sending.<br>
<br>
ipa-getkeytab -s ds01.example.com -p smtp/$(hostname) -k
/etc/postfix/smtp.keytab<br>
chown root:mail /etc/postfix/smtp.keytab<br>
chmod 644 /etc/postfix/smtp.keytab<br>
<br>
postconf -e 'inet_interfaces = all'<br>
postconf -e 'mydestination = $myhostname, localhost.$mydomain,
localhost, $mydomain'<br>
postconf -e 'myorigin = $mydomain'<br>
postconf -e 'import_environment = MAIL_CONFIG MAIL_DEBUG MAIL_LOGTAG
TZ XAUTHORITY DISPLAY LANG=C KRB5_KTNAME=/etc/postfix/smtp.keytab'<br>
postconf -e 'smtpd_recipient_restrictions =
permit_sasl_authenticated, permit_mynetworks,
reject_unauth_destination'<br>
postconf -e 'smtpd_sasl_auth_enable = yes'<br>
postconf -e 'smtpd_sasl_security_options = noanonymous'<br>
postconf -e 'smtpd_sasl_tls_security_options =
$smtpd_sasl_security_options'<br>
postconf -e 'broken_sasl_auth_clients = yes'<br>
postconf -e 'smtpd_sasl_authenticated_header = yes'<br>
postconf -e 'smtpd_sasl_local_domain = $mydomain'<br>
<br>
<br>
cat >> /etc/postfix/main.cf << EOF<br>
virtual_alias_domains = example.com<br>
virtual_alias_maps = <a class="moz-txt-link-freetext" href="ldap:/etc/postfix/ldap_aliases.cf">ldap:/etc/postfix/ldap_aliases.cf</a><br>
EOF<br>
<br>
cat > /etc/postfix/ldap_aliases.cf << EOF<br>
server_host = ds01.example.com<br>
search_base = cn=accounts,dc=example,dc=com<br>
query_filter = (mail=%s)<br>
result_attribute = uid<br>
bind = no<br>
start_tls = yes<br>
version = 3<br>
EOF<br>
<br>
postmap /etc/postfix/ldap_aliases.cf<br>
restorecon -R /etc/postfix/<br>
<br>
cat > /etc/sasl2/smtpd.conf << EOF<br>
pwcheck_method: saslauthd<br>
mech_list: GSSAPI PLAIN LOGIN<br>
EOF<br>
<br>
sed -i 's/MECH=pam/MECH=kerberos5/g' /etc/sysconfig/saslauthd<br>
<br>
<br>
<br>
<span style="white-space: pre;">><br>
><br>
><br>
><br>
><br>
> > _______________________________________________<br>
> > Freeipa-users mailing list<br>
> > <a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a><br>
> > <a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
><br>
></span><br>
<br>
-----BEGIN PGP SIGNATURE-----<br>
Version: GnuPG v1.4.13 (GNU/Linux)<br>
Comment: Using GnuPG with Thunderbird - <a class="moz-txt-link-freetext" href="http://www.enigmail.net/">http://www.enigmail.net/</a><br>
<br>
iQIcBAEBAgAGBQJRQHPYAAoJEAJsWS61tB+qpOsQAJsGDmZVHLbP4YloMoYDM4M2<br>
zOkF7fhIqT+4OKlb5hgBxcFY/VFvwGK/qvYguNbvlxIfT+DQgkTZ5hHKSHjWj1kQ<br>
YVTaztp7p3S3acAYLTKprOltPslnFED4PuUA+EN8pxV/VAiABBE0xBoEIUGoIvEn<br>
oRsU2UmAkaDpFxP1F9vVM6APsvDXkTMaxmzlRZFkaotDkbSXAd58x5h5TajjpEs7<br>
rnppLgB7rfgL5bmeNjEoUT7g61nRvMYINh+Rr6HhZwOxWWfbe0SWXHasCkUrJ0V3<br>
5aXzhFH9z4hEGCKYZv5ugqDD/uw0c8/GOpYwONqwfVhEET0JxiKxgZnhoUP20SrT<br>
7RV8D6vzqhXtFdiD6MLrZ1euejuNRmGpSg3NxfOmKC8z1rHjXmYj61ppPGHJslNs<br>
4Ey61JuB+s5ickJKJ13juCzNmqYTmjclBUc4kzvEiYBPpskgmus3e/d3MUqpC/Jp<br>
17pS/aiPvm6Ko1N2QFbApAMVPGtooF3rt0HuJW8O7oJLnQw3GPwx4jViOY57t4Ka<br>
aiiYTs/ECddKKhTmc/GX12HuXhvZQtembGUar+BDt85nFYX5nkKlHxL7D9znmXmO<br>
/fA83oOhJexdzcq5zD/aOHlnv2j/eLDLXpPZFV8McLO9tqTPgeToqznyDVstrO4f<br>
JyxVSyPS8fY9noBVXydH<br>
=0xzR<br>
-----END PGP SIGNATURE-----<br>
<br>
</body>
</html>