Kerberos principal name mismatch

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Kerberos principal name mismatch

Anvar Kuchkartaev
‎Hello I configured 2x postfix instances which uses shared disk as mail storage and they act as MX server and smtp server at same time. First server mx0.example.com and mx1.example.com and smtp.example.com points to ip address of both servers. The service principal smtp/[hidden email] controlled by both hosts and saslauthd is also configured to use service keytab (entire system is managed by freeipa). If I use smtp.example.com (alias of service principal) to send emails I am getting following error:

nov 28 23:44:21 mx0.example.com postfix/smtps/smtpd[6110]: GSSAPI
server step 1
nov 28 23:44:21 <a href="invoke://1,default:0,eyJ1cmkiOiJodHRwOi8vbXgwLmV4YW1wbGUuY29tIiwiZGF0YSI6ImJYZ3dMbVY0WVcxd2JHVXVZMjl0QUE9PSJ9" style="font-family: 'Slate Pro'; white-space: pre-wrap; color: rgb(0, 115, 188); font-weight: bold; text-decoration: none;">mx0.example.com postfix/smtps/smtpd[6110]: warning:
SASL authentication failure: GSSAPI Error: Unspecified GSS
failure.  Minor code may provide more information (Request ticket
server smtp/<a href="invoke://1,default:0,eyJ1cmkiOiJtYWlsdG86c210cC5leGFtcGxlLmNvbUBleGFtcGxlLmNvbSIsImRhdGEiOiJjMjEwY0M1bGVHRnRjR3hsTG1OdmJVQmxlR0Z0Y0d4bExtTnZiUUE9In0=" style="font-family: 'Slate Pro'; white-space: pre-wrap; color: rgb(0, 115, 188); font-weight: bold; text-decoration: none;">smtp.example.com@... found in keytab but does not
match server principal smtp/<a href="invoke://1,default:0,eyJ1cmkiOiJodHRwOi8vbXgwLmV4YW1wbGUuY29tIiwiZGF0YSI6ImJYZ3dMbVY0WVcxd2JHVXVZMjl0QUE9PSJ9" style="font-family: 'Slate Pro'; white-space: pre-wrap; color: rgb(0, 115, 188); font-weight: bold; text-decoration: none;">mx0.example.com@)
nov 28 23:44:21 <a href="invoke://1,default:0,eyJ1cmkiOiJodHRwOi8vbXgwLmV4YW1wbGUuY29tIiwiZGF0YSI6ImJYZ3dMbVY0WVcxd2JHVXVZMjl0QUE9PSJ9" style="font-family: 'Slate Pro'; white-space: pre-wrap; color: rgb(0, 115, 188); font-weight: bold; text-decoration: none;">mx0.example.com postfix/smtps/smtpd[6110]: warning:
[<a href="invoke://1,default:0,eyJ1cmkiOiJodHRwOi8veHh4Lnh4eC54eHgueHh4IiwiZGF0YSI6ImVIaDRMbmg0ZUM1NGVIZ3VlSGg0QUE9PSJ9" style="font-family: 'Slate Pro'; white-space: pre-wrap; color: rgb(0, 115, 188); font-weight: bold; text-decoration: none;">xxx.xxx.xxx.xxx]: SASL GSSAPI authentication failed: authentication
failure

If I use mx0.example.com (primary alias of service principal) I can send emails easily. Currently I am using plain auth as workaround to send emails. Does anyone have idea to solve/debug this?

Anvar Kuchkartaev 
[hidden email] 
Reply | Threaded
Open this post in threaded view
|

Re: Kerberos principal name mismatch

Viktor Dukhovni
On Wed, Nov 29, 2017 at 12:31:21AM +0100, Anvar Kuchkartaev wrote:

>    Hello I configured 2x postfix instances which uses shared disk as mail
>    storage and they act as MX server and smtp server at same time. First
>    server mx0.example.com and mx1.example.com and smtp.example.com points
>    to ip address of both servers. The service principal
>    smtp/[hidden email] controlled by both hosts and saslauthd
>    is also configured to use service keytab (entire system is managed by
>    freeipa). If I use smtp.example.com (alias of service principal) to
>    send emails I am getting following error:
>
>    nov 28 23:44:21 mx0.example.com postfix/smtps/smtpd[6110]: GSSAPI
>    server step 1
>    nov 28 23:44:21 [1]mx0.example.com postfix/smtps/smtpd[6110]: warning:
>    SASL authentication failure: GSSAPI Error: Unspecified GSS
>    failure.  Minor code may provide more information (Request ticket
>    server smtp/[2][hidden email] found in keytab but does
>    not
>    match server principal smtp/[3]mx0.example.com@)
>    nov 28 23:44:21 [4]mx0.example.com postfix/smtps/smtpd[6110]: warning:
>    [[5]xxx.xxx.xxx.xxx]: SASL GSSAPI authentication failed: authentication
>    failure
>
>    If I use mx0.example.com (primary alias of service principal) I can
>    send emails easily. Currently I am using plain auth as workaround to
>    send emails. Does anyone have idea to solve/debug this?

The Cyrus SASL library does not support wildcard server credentials
(GSS_C_NO_CREDENTIAL).  Instead each SASL service must specify an
explicit service name (service@host) and this must be the name for
which clients obtain tickets.  IIRC Postfix passes "smtp@myhostname"
to Cyrus SASL as its service name.  Therefore, any given Postfix
instance can only support Kerberos clients that expect to connect
to the hostname that exactly matches the main.cf "myhostname"
setting.  The keytab file can of course be shared, and contain
one entry for each Postfix instance hostname.

The "dovecot" SASL backend does not share the same limitation.  So
if you configure Postfix to use the "dovecot" SASL backend, you
should be able to support multiple names in a single instance.

My dovecot configuration has:

    auth_realms = ...
    auth_mechanisms = gssapi plain
    auth_gssapi_hostname = "$ALL"
    auth_krb5_keytab = /var/spool/keytabs/imap

That magic "$ALL" token enables wildcard credentials, the
server will accept tickets for any principal name with keys
in the selected keytab file.

--
        Viktor.