[Dovecot] Does NIS/yp work for authentication
If a host is running NIS (passwd file ends in +::0:0:::) authentication, will dovecot be able to authenticate with
auth_userdb = passwd
directly and automagically or do you have to do a ypcat passwd > pwfile periodically to generate a passwd file that dovecot can use?
?
Thanks!
--
Stewart Dean, Unix System Admin, Henderson Computer Resources
Center of Bard College, Annandale-on-Hudson, New York 12504
sdean@bard.edu voice: 845-758-7475, fax: 845-758-7035
On 2006-04-18 12:13:24 -0400, Stewart Dean wrote:
If a host is running NIS (passwd file ends in +::0:0:::) authentication, will dovecot be able to authenticate with
auth_userdb = passwd
directly and automagically or do you have to do a ypcat passwd > pwfile periodically to generate a passwd file that dovecot can use?
if you use pam. there shouldnt be an issue.
darix-- openSUSE - SUSE Linux is my linux openSUSE is good for you www.opensuse.org
Marcus Rueckert rueckert@informatik.uni-rostock.de writes:
On 2006-04-18 12:13:24 -0400, Stewart Dean wrote:
If a host is running NIS (passwd file ends in +::0:0:::) authentication, will dovecot be able to authenticate with
auth_userdb = passwd
directly and automagically or do you have to do a ypcat passwd > pwfile periodically to generate a passwd file that dovecot can use?
if you use pam. there shouldnt be an issue.
This is dangerously false (except if you're using Solaris), NIS is a massive reliability issue on important operating systems that use nsswitch such as Linux and FreeBSD (and before FreeBSD used nsswitch, too).
These systems tried to copy the Solaris nsswitch scheme, but goofed up horribly, and particularly Linux's nsswitch is utterly unreliable.
Linux's pam_unix2 and glibc nsswitch will happily and instantly return NULL with errno == 0 from getpwnam() if the NIS domain isn't bound.
This makes temporary NIS blackouts (say, ypbind is in the process of switching to another slave server if the server bound to formerly has gone down) indistinguishable from a permanent error which also returns NULL from getpwnam() with errno == 0 if the lookup succeeded and ended up with a definitive "no such user".
glibc's nsswitch doesn't even set errno == EIO in this case (as is documented) which might sell the application a clue something went wrong.
FreeBSD behaves the same except that it keeps retrying for a few minutes which will usually help across short-time temporary failures.
Only Solaris gets it right with its default of TRYAGAIN=forever which neither Linux nor FreeBSD support. That makes Solaris retry forever on temporary failures until it can come up with a definitive result.
I filed reports for these problems a long time ago, to no avail:
glibc: http://sources.redhat.com/bugzilla/show_bug.cgi?id=430 (Drepper shows he's neither understood the impact of the issue nor does he know his own code.)
FreeBSD: http://www.freebsd.org/cgi/query-pr.cgi?pr=bin/46866 (No-one picked this up in 27 months.)
-- Matthias Andree
Stewart Dean sdean@bard.edu writes:
If a host is running NIS (passwd file ends in +::0:0:::) authentication, will dovecot be able to authenticate with
auth_userdb = passwd
directly and automagically or do you have to do a ypcat passwd > pwfile periodically to generate a passwd file that dovecot can use?
I'd suggest to do the latter for reliability reasons (you'd better use "ypcat passwd >tmpfile && mv tmpfile pwfile" though).
-- Matthias Andree
On Tue, 18 Apr 2006, Stewart Dean wrote:
If a host is running NIS (passwd file ends in +::0:0:::) authentication, will dovecot be able to authenticate with
auth_userdb = passwd
We use yp authentication, but through pam. I'd wildly and unfoundedly guess that userdb=passwd wouldn't.
passdb pam { args = session=yes * }
pam.d files contain: auth sufficient pam_unix.so auth required pam_saslauth.so common-auth
(which is to say that we actually use sasl for authenticating (private crypt strings), but it speaks to YP via the pam_unix module...).
In a simpler environment, it'd just be auth required pam_unix.so
Cheers,
- Simon
directly and automagically or do you have to do a ypcat passwd > pwfile periodically to generate a passwd file that dovecot can use?
Simon Bowden simonb@cse.unsw.EDU.AU writes:
On Tue, 18 Apr 2006, Stewart Dean wrote:
If a host is running NIS (passwd file ends in +::0:0:::) authentication, will dovecot be able to authenticate with
auth_userdb = passwd
We use yp authentication, but through pam. I'd wildly and unfoundedly guess that userdb=passwd wouldn't.
Well, it's a guess. The NIS compat mode would work halfway, see my other messages for details. The PAM module ends up using getpwnam() anyways...
-- Matthias Andree
participants (4)
-
Marcus Rueckert
-
Matthias Andree
-
Simon Bowden
-
Stewart Dean