Ubuntu
postfix package

Missing tmp directory for GSSAPI authentication

Bug #1279116 reported by Craig G
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
postfix (Debian)
New
Unknown
postfix (Ubuntu)
New
Low
Unassigned

Bug Description

I had some trouble getting GSSAPI authentication in postfix working when moving my mail system to a new machine. GSSAPI is a bit complicated with postfix since it runs in a chroot jail. There are several guides available for this process (in particular, getting the keytab and krb5.conf files in the right place), and I did have it working on my previous machine, so I was pretty sure I had the configuration correct and that there was something wrong with the newly installed system.

Postfix was producing the following errors in the system log:
postfix/smtpd[5099]: warning: SASL authentication failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information ()
postfix/smtpd[5099]: warning: host[x.x.x.x]: SASL GSSAPI authentication failed: generic failure.

That error was not terribly useful, but strace-ing the smtpd process produced the source of the real error:
lstat("/var/tmp/smtp_118", 0x7fffcafd42f0) = -1 ENOENT (No such file or directory)
unlink("/var/tmp/smtp_118") = -1 ENOENT (No such file or directory)
open("/var/tmp/smtp_118", O_WRONLY|O_CREAT|O_EXCL|O_TRUNC, 0600) = -1 ENOENT (No such file or directory)
unlink("/var/tmp/smtp_118") = -1 ENOENT (No such file or directory)

The process was unable to create a credential cache because the /var/tmp directory did not exist under the chroot filesystem. Creating the directory /var/spool/postfix/var/tmp with postfix-writeable permissions fixed the problem and GSSAPI authentication started working.

I'm not exactly sure why the gssapi library was using /var/tmp instead of /tmp (which didn't exist either). kerberos credentials for the rest of my system are stored in /tmp.

I think the postfix package should be altered to include a /var/tmp directory in the chroot file hierarchy. If that is not possible, the gssapi configuration within the chroot should be setup to use a different directory for the credential cache, which does exist and has the proper permissions.

Revision history for this message
Robie Basak (racb) wrote :

Thank you for taking the time to report this bug and helping to make Ubuntu better.

Your report sounds reasonable and I appreciate the detail and diagnostics that you performed.

Since I believe GSSAPI is an uncommon end-user configuration for postfix, I'm marking this bug with Low importance.

It seems to me that this bug would equally affect Debian, and if so then this bug would probably best be raised in Debian, and then Ubuntu will sync or merge in time as appropriate.

Please could you check that this bug reproduces in Debian, and then file a bug there if so? Thanks!

tags: added: needs-upstream-report
Changed in postfix (Ubuntu):
importance: Undecided → Low
Revision history for this message
Craig G (cgallek) wrote :

Thanks for the quick response. I started poking around in the debian bugs database and found a similar issue described here:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=606007

I submitted a comment asking to have the tmp directory added to the chroot tree.

Robie Basak (racb)
tags: removed: needs-upstream-report
Bug Watch Updater (bug-watch-updater)
Changed in postfix (Debian):
status: Unknown → New
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.