[Bug 1279116] [NEW] Missing tmp directory for GSSAPI authentication

Craig G cgallek at gmail.com
Tue Feb 11 23:05:09 UTC 2014 

Public bug reported:

I had some trouble getting GSSAPI authentication in postfix working when
moving my mail system to a new machine.  GSSAPI is a bit complicated
with postfix since it runs in a chroot jail.  There are several guides
available for this process (in particular, getting the keytab and
krb5.conf files in the right place), and I did have it working on my
previous machine, so I was pretty sure I had the configuration correct
and that there was something wrong with the newly installed system.

Postfix was producing the following errors in the system log:
postfix/smtpd[5099]: warning: SASL authentication failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information ()
postfix/smtpd[5099]: warning: host[x.x.x.x]: SASL GSSAPI authentication failed: generic failure.

That error was not terribly useful, but strace-ing the smtpd process produced the source of the real error:
lstat("/var/tmp/smtp_118", 0x7fffcafd42f0) = -1 ENOENT (No such file or directory)
unlink("/var/tmp/smtp_118")             = -1 ENOENT (No such file or directory)
open("/var/tmp/smtp_118", O_WRONLY|O_CREAT|O_EXCL|O_TRUNC, 0600) = -1 ENOENT (No such file or directory)
unlink("/var/tmp/smtp_118")             = -1 ENOENT (No such file or directory)

The process was unable to create a credential cache because the /var/tmp
directory did not exist under the chroot filesystem.  Creating the
directory /var/spool/postfix/var/tmp with postfix-writeable permissions
fixed the problem and GSSAPI authentication started working.

I'm not exactly sure why the gssapi library was using /var/tmp instead
of /tmp (which didn't exist either).  kerberos credentials for the rest
of my system are stored in /tmp.

I think the postfix package should be altered to include a /var/tmp
directory in the chroot file hierarchy.  If that is not possible, the
gssapi configuration within the chroot should be setup to use a
different directory for the credential cache, which does exist and has
the proper permissions.

** Affects: postfix (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to postfix in Ubuntu.
https://bugs.launchpad.net/bugs/1279116

Title:
  Missing tmp directory for GSSAPI authentication

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/postfix/+bug/1279116/+subscriptions

More information about the Ubuntu-server-bugs mailing list