[Dovecot] OT: NIS Authentication
Ran into a major issue with my setup overnight:
We have a Win2K AD domain running SFU with a master and 1 slave NIS server. Our mail server is a FC1 box that runs dovecot and a MailScanner/sendmail config. The mail server is configured as a NIS client. The problem is that we lost power overnight and all of the boxes shutdown after the UPS's ran out of battery. After the power came back on, all of the boxes automatically rebooted. The problem is that our mail server is somewhat faster than the rest of the servers. It booted up before the master or slave NIS servers were up and running. Since the mail server uses a PAM NIS authentication scheme, it knows nothing about our users unless it connects to a NIS server. So, this morning users were getting "unknown username" type errors with outlook. Furthermore, the mail logs show that sendmail was rejecting mail with "unknown user" errors. It wasn't until we rebooted the mail server and it was able to reconnect to the NIS servers that mail resumed being received and users could access it. It seems like a fundamental problem with our setup. Since I'll eventually be updating the box to a newer OS and configuration, I need to plug this hole somehow without changing the authentication scheme. Furthermore, I'm concerned that if the master or slave went down while the mail server was still up, we'd see similar results. I'm thinking of one of two options to fix this but wanted to run it by everyone to see if there was a better way:
Configure the boot loader to wait 5 minutes before loading the OS (it uses GRUB so I'll set it display the OS menu screen for 5 minutes and then boot). Then if I'm doing maintenance to the box I can just hit enter to boot immediately and hopefully the 5 minute delay will allow the other boxes to boot after a power outage. This won't cover me if it's not a power outage (Eg. The master or slave dies).
Configure the mail server as an NIS slave. I'm thinking that this will basically "copy" the user info (username, password, homedir, etc.) on a schedule and store it locally on the mail server (is this how it works?). This covers both issues - power outage and a server dying. But I've read about problems getting password sync to happen quickly. I'd ideally like it to happen immediately (without any manual intervention) but I don't think this is possible.
Thoughts?
Jeff Graves, MCSA Customer Support Engineer Image Source, Inc. 10 Mill Street Bellingham, MA 02019
508.966.5200 - Phone 508.966.5170 - Fax jeff@image-src.com - Email www.image-src.com
I have not used NIS for quite some time, rdist and ssh keys are much better for this simple task.
Home dir's in the Sun NIS model is handled via a NFS mount of the home dir from a common home dir server.
In NIS all slaves can also be clients. Slaves get the passwd, group, shadow, and other maps from the master via a transfer which is started/controlled by the master. So, as soon as the master and slaves are up, the master will push out maps if they have been changed. If the master crashes the slaves should have the most current maps.
NIS is a slow process in general, one twist is to config all slaves to be clients first, then slaves. Slaves configed this way will query the master (as a client) and if this fails query their local maps (as a slave).
James H. Edwards Network Systems Administrator Judicial Information Division jedwards@nmcourts.com
When I fire up dovecot, this is what I get with the following plugins enabled from dovecot.conf:
mail_plugins = cmusieve mail_plugin_dir = /dc/dovecot/lib/dovecot/lda
Here's the error:
Edlopen(/dc/dovecot/lib/dovecot/lda/lib90_cmusieve_plugin.so) failed: /dc/dovecot/lib/dovecot/lda/lib90_cmusieve_plugin.so: undefined symbol: deliver_mail Error: imap dump-capability process returned 89
Host is Ubuntu 6.06-1 AMD64, mailer is postfix.
Anybody have any ideas? Otherwise works fine if I comment out the plugins.
Thanks.
Am 11.08.2006 um 15:28 Uhr -0400 schrieb Jeff Graves:
That is what we do here, both for performance and reliability reasons.
You are supposed to register YP slaves with the master, who then prods the slaves to update any changed databases. The belt-and-suspenders solution is to additionally set up a cron job on the slave(s) that updates the yp databases every day or so with ypxfr(8).
HTH, hauke
-- /~\ The ASCII Ribbon Campaign Hauke Fath \ / No HTML/RTF in email Institut für Nachrichtentechnik X No Word docs in email TU Darmstadt / \ Respect for open standards Ruf +49-6151-16-3281
participants (5)
-
Hauke Fath
-
james edwards
-
Jeff Graves
-
Jeremy Koski
-
Timo Sirainen