我几乎已经让 saslauthd 检查 Kerberos,但在 CentOS 7 上发现了一些问题。当 postfix 与 saslauthd 通信时,它会发送一个小写的域名,但并没有得到纠正。我尝试使用 [domain_realms] 修复 /etc/krb5.conf 中的问题,但没有成功。testsaslauthd 运行良好,kinit 也是如此。
saslfinger - postfix Cyrus sasl configuration Mon Oct 13 02:09:37 EDT 2014
version: 1.0.2
mode: server-side SMTP AUTH
-- basics --
Postfix: 2.10.1
System: CentOS Linux release 7.0.1406 (Core)
-- smtpd is linked to --
libsasl2.so.3 => /lib64/libsasl2.so.3 (0x00007fb849a49000)
-- active SMTP AUTH and TLS parameters for smtpd --
broken_sasl_auth_clients = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain = EXAMPLE.COM
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/postfix-certs/smtp.crt
smtpd_tls_key_file = /etc/postfix-certs/smtp.key
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_timeout = 3600s
-- listing of /usr/lib64/sasl2 --
total 692
drwxr-xr-x. 2 root root 4096 Oct 12 20:39 .
dr-xr-xr-x. 62 root root 32768 Oct 12 15:59 ..
-rwxr-xr-x. 1 root root 19952 Jun 10 00:15 libanonymous.so
-rwxr-xr-x. 1 root root 19952 Jun 10 00:15 libanonymous.so.3
-rwxr-xr-x. 1 root root 19952 Jun 10 00:15 libanonymous.so.3.0.0
-rwxr-xr-x. 1 root root 24160 Jun 10 00:15 libcrammd5.so
-rwxr-xr-x. 1 root root 24160 Jun 10 00:15 libcrammd5.so.3
-rwxr-xr-x. 1 root root 24160 Jun 10 00:15 libcrammd5.so.3.0.0
-rwxr-xr-x. 1 root root 57888 Jun 10 00:15 libdigestmd5.so
-rwxr-xr-x. 1 root root 57888 Jun 10 00:15 libdigestmd5.so.3
-rwxr-xr-x. 1 root root 57888 Jun 10 00:15 libdigestmd5.so.3.0.0
-rwxr-xr-x. 1 root root 36904 Jun 10 00:15 libgssapiv2.so
-rwxr-xr-x. 1 root root 36904 Jun 10 00:15 libgssapiv2.so.3
-rwxr-xr-x. 1 root root 36904 Jun 10 00:15 libgssapiv2.so.3.0.0
-rwxr-xr-x. 1 root root 19984 Jun 10 00:15 liblogin.so
-rwxr-xr-x. 1 root root 19984 Jun 10 00:15 liblogin.so.3
-rwxr-xr-x. 1 root root 19984 Jun 10 00:15 liblogin.so.3.0.0
-rwxr-xr-x. 1 root root 19984 Jun 10 00:15 libplain.so
-rwxr-xr-x. 1 root root 19984 Jun 10 00:15 libplain.so.3
-rwxr-xr-x. 1 root root 19984 Jun 10 00:15 libplain.so.3.0.0
-rwxr-xr-x. 1 root root 28200 Jun 10 00:15 libsasldb.so
-rwxr-xr-x. 1 root root 28200 Jun 10 00:15 libsasldb.so.3
-rwxr-xr-x. 1 root root 28200 Jun 10 00:15 libsasldb.so.3.0.0
-- listing of /etc/sasl2 --
total 16
drwxr-xr-x. 2 root root 23 Oct 13 01:58 .
drwxr-xr-x. 98 root root 8192 Oct 13 00:42 ..
-rw-r--r--. 1 root root 101 Oct 13 01:58 smtpd.conf
-- content of /etc/sasl2/smtpd.conf --
pwcheck_method: saslauthd
mech_list: GSSAPI PLAIN LOGIN
keytab: /etc/postfix/smtp.keytab
loglevel: 6
-- active services in /etc/postfix/master.cf --
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
smtp inet n - n - - smtpd
submission inet n - n - - smtpd
pickup unix n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr unix n - n 300 1 qmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - n - - smtp
relay unix - - n - - smtp
showq unix n - n - - showq
error unix - - n - - error
retry unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
-- mechanisms on localhost --
-- end of saslfinger output --
测试aslauthd:
[root@mail ~]# testsaslauthd -u [email protected] -p password -s smtp
0: OK "Success."
这很可能是 Postfix 存在问题,因为 testsaslauthd 可以正常工作,所以它没有向 saslauthd 发送正确的参数。
更新
根据建议,一直在 saslauthd 和 krb5kdc 的单线程实例上使用“ltrace -S”。使用 testsaslauthd 时,saslauthd 和 KDC 都会有一系列活动,结果是身份验证成功,但当 Postfix 尝试处理相同的用户名和密码时,只有 saslauthd 有活动,而 KDC 没有活动。此外,没有 selinux 审计日志。
从 Postfix 调用时 saslauthd 的 ltrace -S 输出:
**SNIP**
close@SYS(10) = 0
gettimeofday@SYS(0x7ffffc0fa5b0, nil) = 0
<... krb5_init_context resumed> ) = 0
__snprintf_chk(0x7ffffc0fafb0, 2048, 1, 2048) = 33
krb5_parse_name(0x7f15647cc070, 0x7ffffc0fafb0, 0x7ffffc0fa6a8, 0x7fffffde) = 0x96c73a86
krb5_free_context(0x7f15647cc070, 0, 0x7f1560ee5770, 0) = 1361
__syslog_chk(3, 1, 0x7f1562b364cb, 0x7f15647cc060 <unfinished ...>
sendto@SYS(3, 0x7f15647cee20, 64, 0x4000) = 64
<... __syslog_chk resumed> ) = 0
malloc(28) = 0x7f15647ce510
strlen("NO saslauthd internal error") Oct 19 14:21:57 mail saslauthd[32005]: auth_krb5: krb5_parse_name
**SNIP**
通过 testsaslauthd 调用时:请注意调用 krb5_parse_name 后的区别。
read(9, "smtp", 4) = 4
__errno_location() = 0x7fd8e86de7a0
read(9, "", 2) = 2
krb5_init_context(0x7fffe69f1888, 0x7fffe69f4de0, 0x7fffe69f4ef0, 0x7fffe69f5000) = 0
__snprintf_chk(0x7fffe69f21a0, 2048, 1, 2048) = 19
krb5_parse_name(0x7fd8e8bfd070, 0x7fffe69f21a0, 0x7fffe69f1898, 0x7fffffec) = 0
strcpy(0x7fffe69f19a0, "MEMORY:0") = 0x7fffe69f19a0
krb5_cc_resolve(0x7fd8e8bfd070, 0x7fffe69f19a0, 0x7fffe69f1890, 0x7fd8e870d0e2) = 0
krb5_cc_initialize(0x7fd8e8bfd070, 0x7fd8e8c22090, 0x7fd8e8c21f70, 0) = 0
krb5_get_init_creds_opt_init(0x7fffe69f18d0, 0, 0, 0) = 0
krb5_get_init_creds_opt_set_tkt_life(0x7fffe69f18d0, 900, 0, 0) = 0
krb5_get_init_creds_password(0x7fd8e8bfd070, 0x7fffe69f1920, 0x7fd8e8c21f70, 0x7fffe69f4de0
看来 Kerberos 客户端库的设置方式存在问题。鉴于第一种情况下甚至没有调用 KDC,KRB5 客户端库似乎只是将该调用视为垃圾并丢弃所有内容。我不确定的是如何找出原因,除非编译所有内容并将调试器附加到其中。
** 更新 2 **
非常接近。最终让我动起来的是,在命令行上运行 saslauthd,不使用 ltrace,但KRB5_TRACE="/dev/stderr"在环境中使用导出。我在使用 testsaslauthd 程序(自始至终运行良好)时注意到了以下情况:
saslauthd[785] :do_auth : auth success: [[email protected]] [service=smtp] [realm=] [mech=kerberos5]
这让我想到,“嗯,没有领域也能工作”,所以我从所有地方删除了领域,包括命令行和 Postfix main.cf。一切都开始正常工作。
然后我意识到我已经用用户名设置了邮件客户端[电子邮件保护]代替[电子邮件保护]。当我将其改回小写的电子邮件地址时,一切都停止了工作。
然后我意识到我一直在使用 testsaslauthd[电子邮件保护]。
这有道理吗?看起来 krb5.conf 有问题,但一切看起来都很好?
[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = false
rdns = false
ticket_lifetime = 24h
forwardable = yes
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
EXAMPLE.COM = {
kdc = mail.example.com:88
master_kdc = mail.example.com:88
admin_server = mail.example.com:749
default_domain = example.com
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM