Sorry, I had accidentally replied to Simo privately.

Moving back to the list.  -A

On Friday, July 12, 2013 12:01:08 PM Simo Sorce wrote:
> On Fri, 2013-07-12 at 10:52 -0500, Anthony Messina wrote:
> > On Friday, July 12, 2013 11:36:50 AM you wrote:
> > > > Dmitri, thanks for the info on gssproxy.  I am using gssproxy for NFS
> > > > in
> > > > F19,  but have not begun using it for other services such as an smtp
> > > > client, though this is exactly what I'd be looking for.  Do you think
> > > > you'd be able to show us what the gssproxy.conf file might look like
> > > > for
> > > > Postfix's smtp service?
> > > 
> > > I will need to look at how postifix uses gssapi, it may 'just work' or
> > > it may require some patching to avoid bad uses of gssapi or
> > > unconditional uses of direct krb5 calls. For nfs-util I had to send a
> > > very small patch.
> > > If SASL is used I am relatively sure it will just work though.
> > > 
> > > > How would one store the keytab in /var/lib/gssapi/clients?  As far as
> > > > I
> > > > can  tell, the keytabs stored there are listed as <uidnumber>.keytab,
> > > > so
> > > > I imagine this would be stored as the postfix user's uidnumber.
> > > 
> > > When you use a keytab for 'accepting' rather than 'initialing' you can
> > > place it where you want and give it whatever name you want as it doesn't
> > > change based on the peer name. Of course you want to place it in a place
> > > where (only) gssproxy can use it.
> > > 
> > > The configuration for SMTP would be something like:
> > > 
> > > [service/smtp-server]
> > > 
> > >   mechs = krb5
> > >   cred_store = keytab:/etc/postfix/smtp.keytab
> > >   trusted = no
> > >   euid = 12345 #smtp's process user id
> > > 
> > > HTH,
> > > Simo.
> > 
> > In this case, Postfix is acting as a client, which is why it seems a
> > little
> > tricky to me.  I have been using Postfix/GSSAPI on the smtpD end for
> > years,
> > but not the smtp end yet, as I hadn't figured out the sasl_maps thing,
> > until I reviewed Erinn's post.
> 
> Oh sorry, I misundertood that, however the configuration wouldn't be
> much different, you'd just add:
> cred_store = client_keytab:/etc/postfix/smtp.keytab or similar
> 
> > Erinn may already know that the smtp part of Postfix runs as the 'postfix'
> > user whereas Postfix's 'master' process runs as root.
> > 
> > Anyway, I'll keep following and I can test things out and report back as
> > well.
> Thanks, it would be really nice if we could augment this with a
> privilege separation recipy based on gssproxy
> 
> Simo.
-- 
Anthony - http://messinet.com - http://messinet.com/~amessina/gallery
8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E

Attachment: signature.asc
Description: This is a digitally signed message part.

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to