GSSAPI Authentication
in [Postfix]
|
Prev: store and forward and reject_unverified_recipient
Next: Freebsd 7.2 port of "Postfix 2.7 Snapshot 20091209"
From: Dennis Putnam on 14 Dec 2009 08:54 I am trying to upgrade to Postfix 2.5.5 and am having a problem with GSSAPI authentication. When I try to send mail, I get this error in the log: warning: SASL authentication failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Key table entry not found) This was all working with version 2.1.5 so I am guessing that there is a change I need to make to the configuration. However, this error message is not very helpful as I know the Kerberos information is correct because it works with the same credentials for other things. Can someone point me in the right direction on this? TIA.
From: Victor Duchovni on 14 Dec 2009 13:17 On Mon, Dec 14, 2009 at 08:54:32AM -0500, Dennis Putnam wrote: > I am trying to upgrade to Postfix 2.5.5 and am having a problem with GSSAPI authentication. When I try to send mail, I get this error in the log: > > warning: SASL authentication failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Key table entry not found) You have eliminated the most important part of this error message: the name of the complaining process. We can guess that it was "smtpd", as we expect the SMTP server to use keytabs, and the SMTP client to use a credential cache. The error indicates that "smtp/<servername>@REALM" was not found in the keytab file used. Make sure you are using the right keytab file and that it has the expected contents. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the "Reply-To" header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: <mailto:majordomo(a)postfix.org?body=unsubscribe%20postfix-users> If my response solves your problem, the best way to thank me is to not send an "it worked, thanks" follow-up. If you must respond, please put "It worked, thanks" in the "Subject" so I can delete these quickly.
From: Victor Duchovni on 14 Dec 2009 14:10
On Mon, Dec 14, 2009 at 01:55:07PM -0500, Dennis Putnam wrote: > You are correct, it was indeed SMTP. Which "SMTP"? The server "smtpd" (as I surmised) or the client "smtp"? > I thought about that but I can't find any references to it in the > Postfx documentation. Postfix does not implement SASL GSSAPI, Cyrus SASL implements GSSAPI. So, Postfix does not document GSSAPI. > Where do I look to specify that? If it simply > uses mit.edu.Kerberos, that file is correct. This is not a "keytab" file, it is the equivalent of krb5.conf on MacOSX systems. > It may be that it can't > find that file but again I don't see where to specify a path for it. Where did you deploy the keys for "smtp/<hostname>@REALM"? How did you tell Postfix where to look for the keys? http://www.postfix.org/DEBUG_README.html#mail -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the "Reply-To" header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: <mailto:majordomo(a)postfix.org?body=unsubscribe%20postfix-users> If my response solves your problem, the best way to thank me is to not send an "it worked, thanks" follow-up. If you must respond, please put "It worked, thanks" in the "Subject" so I can delete these quickly. |