[Bug 1279116] Re: Missing tmp directory for GSSAPI authentication

[Craig G]

Thanks for the quick response.  I started poking around in the debian bugs 
database and found a similar issue described here:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=606007

I submitted a comment asking to have the tmp directory added to the
chroot tree.

** Bug watch added: Debian Bug tracker #606007
   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=606007

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to postfix in Ubuntu.
https://bugs.launchpad.net/bugs/1279116

Title:
  Missing tmp directory for GSSAPI authentication

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/postfix/+bug/1279116/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs

[Bug 1279116] [NEW] Missing tmp directory for GSSAPI authentication

[Craig G]

Public bug reported:

I had some trouble getting GSSAPI authentication in postfix working when
moving my mail system to a new machine.  GSSAPI is a bit complicated
with postfix since it runs in a chroot jail.  There are several guides
available for this process (in particular, getting the keytab and
krb5.conf files in the right place), and I did have it working on my
previous machine, so I was pretty sure I had the configuration correct
and that there was something wrong with the newly installed system.

Postfix was producing the following errors in the system log:
postfix/smtpd[5099]: warning: SASL authentication failure: GSSAPI Error: 
Unspecified GSS failure.  Minor code may provide more information ()
postfix/smtpd[5099]: warning: host[x.x.x.x]: SASL GSSAPI authentication failed: 
generic failure.

That error was not terribly useful, but strace-ing the smtpd process produced 
the source of the real error:
lstat(/var/tmp/smtp_118, 0x7fffcafd42f0) = -1 ENOENT (No such file or 
directory)
unlink(/var/tmp/smtp_118) = -1 ENOENT (No such file or directory)
open(/var/tmp/smtp_118, O_WRONLY|O_CREAT|O_EXCL|O_TRUNC, 0600) = -1 ENOENT 
(No such file or directory)
unlink(/var/tmp/smtp_118) = -1 ENOENT (No such file or directory)

The process was unable to create a credential cache because the /var/tmp
directory did not exist under the chroot filesystem.  Creating the
directory /var/spool/postfix/var/tmp with postfix-writeable permissions
fixed the problem and GSSAPI authentication started working.

I'm not exactly sure why the gssapi library was using /var/tmp instead
of /tmp (which didn't exist either).  kerberos credentials for the rest
of my system are stored in /tmp.

I think the postfix package should be altered to include a /var/tmp
directory in the chroot file hierarchy.  If that is not possible, the
gssapi configuration within the chroot should be setup to use a
different directory for the credential cache, which does exist and has
the proper permissions.

** Affects: postfix (Ubuntu)
 Importance: Undecided
 Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to postfix in Ubuntu.
https://bugs.launchpad.net/bugs/1279116

Title:
  Missing tmp directory for GSSAPI authentication

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/postfix/+bug/1279116/+subscriptions

-- 
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs