Sorry, I had accidentally replied to Simo privately. Moving back to the list. -A
On Friday, July 12, 2013 12:01:08 PM Simo Sorce wrote: > On Fri, 2013-07-12 at 10:52 -0500, Anthony Messina wrote: > > On Friday, July 12, 2013 11:36:50 AM you wrote: > > > > Dmitri, thanks for the info on gssproxy. I am using gssproxy for NFS > > > > in > > > > F19, but have not begun using it for other services such as an smtp > > > > client, though this is exactly what I'd be looking for. Do you think > > > > you'd be able to show us what the gssproxy.conf file might look like > > > > for > > > > Postfix's smtp service? > > > > > > I will need to look at how postifix uses gssapi, it may 'just work' or > > > it may require some patching to avoid bad uses of gssapi or > > > unconditional uses of direct krb5 calls. For nfs-util I had to send a > > > very small patch. > > > If SASL is used I am relatively sure it will just work though. > > > > > > > How would one store the keytab in /var/lib/gssapi/clients? As far as > > > > I > > > > can tell, the keytabs stored there are listed as <uidnumber>.keytab, > > > > so > > > > I imagine this would be stored as the postfix user's uidnumber. > > > > > > When you use a keytab for 'accepting' rather than 'initialing' you can > > > place it where you want and give it whatever name you want as it doesn't > > > change based on the peer name. Of course you want to place it in a place > > > where (only) gssproxy can use it. > > > > > > The configuration for SMTP would be something like: > > > > > > [service/smtp-server] > > > > > > mechs = krb5 > > > cred_store = keytab:/etc/postfix/smtp.keytab > > > trusted = no > > > euid = 12345 #smtp's process user id > > > > > > HTH, > > > Simo. > > > > In this case, Postfix is acting as a client, which is why it seems a > > little > > tricky to me. I have been using Postfix/GSSAPI on the smtpD end for > > years, > > but not the smtp end yet, as I hadn't figured out the sasl_maps thing, > > until I reviewed Erinn's post. > > Oh sorry, I misundertood that, however the configuration wouldn't be > much different, you'd just add: > cred_store = client_keytab:/etc/postfix/smtp.keytab or similar > > > Erinn may already know that the smtp part of Postfix runs as the 'postfix' > > user whereas Postfix's 'master' process runs as root. > > > > Anyway, I'll keep following and I can test things out and report back as > > well. > Thanks, it would be really nice if we could augment this with a > privilege separation recipy based on gssproxy > > Simo. -- Anthony - http://messinet.com - http://messinet.com/~amessina/gallery 8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E
Description: This is a digitally signed message part.