On Wed, Oct 28, 2009 at 05:11:33PM +0330, Ali Majdzadeh wrote:
> ehlo example.com
> auth gssapi base 64 encoded userid
The GSSAPI handshake does not work this way.
> When I monitor the logs, I see the following failure messages:
> warning: SASL authentication failure: GSSAPI Error: Invalid token was
> supplied (No error)
> What does the above line mean? Where do I go wrong in the process?
A base64 encoded username is not a valid GSSAPI token. Test with an
actual GSSAPI client. FWIW, Postfix works just fine with GSSAPI here.
As in your configuration, the server uses a keytab and KRB5_KTNAME is
set in the server environment (import_environment=...). The server
keytab belongs to the "postfix" ($mail_owner) user.
In our case the client (sending) system also has a keytab, but it is not
used directly, rather a cron job runs periodically, and uses "kinit -t"
to refresh the client credential cache. The client main.cf also has
"import_environment=..." with a setting for KRB5_CCNAME.
--
Viktor.
Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.
To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:majord...@postfix.org?body=unsubscribe%20postfix-users>
If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.
