On Fri, Apr 06, 2012 at 04:47:37PM +0300, Eray Aslan wrote:
> On 2012-04-06 2:12 AM, Viktor Dukhovni wrote:
> > The basic idea is to
> > ensure that there is always a ticket in the client's credential
> > cache. This is done via a cron-job that runs "kinit -k ..." once
> > an hour.
>
> kstart/krenew should be able to do the work as well. Is there any
> particular reason one would go the cron route?
> http://www.eyrie.org/~eagle/software/kstart/
The cron solution is much simpler and more robust. There is no
supervisor process running, no need for the child to not exit, no
need to instrument postfix start-up by wrapping in kstart, ...
Instead, there is a credential-cache on the system that is always
unexpired, whether Postfix is still running or not. I used
smtp/<hostfqdn>@DEFAULT_REALM
The "kinit -k" used the same keytab as the SMTP server uses to
authenticate inbound connections.
All Postfix needed to do was to augment the import_environment
for the delivery_agent:
main.cf:
krb5_import_environment =
# Postfix defaults, drop XAUTHORITY and DISPLAY if
# if you never use X11 graphical debuggers.
# Never leave out LANG=C, the default en_US.UTF8 on many
# systems breaks sorting, ...
#
# Don't try to be clever and use "$import_environment" here,
# it won't work: the expansion in master.cf will loop!
#
MAIL_CONFIG MAIL_DEBUG MAIL_LOGTAG TZ XAUTHORITY DISPLAY LANG=C
#
# Added for Kerberos, strictly only one of these is needed
# on the server and the other on the client, but its is
# simpler to set both.
#
KRB5_KTNAME=FILE:/var/spool/keytabs/smtp
KRB5CCNAME=FILE:/var/spool/tickets/smtp
master.cf:
smtp inet ... smtpd
-o import_environment=$krb5_import_environment
smtp unix ... smtp
-o import_environment=$krb5_import_environment
where the auto-refreshed ticket was naturally in /var/spool/tickets/smtp.
The corresponding keytab file is in /var/spool/keytabs/smtp. The
cron-job simply runs
kinit -c /var/spool/tickets/smtp -k -t /var/spool/keytabs/smtp
smtp/$(uname -n)
--
Viktor.
