[Dovecot] Does NIS/yp work for authentication

Matthias Andree matthias.andree at gmx.de
Wed Apr 19 11:52:13 EEST 2006


Marcus Rueckert <rueckert at informatik.uni-rostock.de> writes:

> On 2006-04-18 12:13:24 -0400, Stewart Dean wrote:
>> If a host is running NIS (passwd file ends in +::0:0:::) authentication, 
>> will dovecot be able to authenticate with
>> 
>> auth_userdb = passwd
>> 
>> directly and automagically or do you have to do a ypcat passwd > pwfile 
>> periodically to generate a passwd file that dovecot can use?
>
> if you use pam. there shouldnt be an issue.

This is dangerously false (except if you're using Solaris), NIS is a
massive reliability issue on important operating systems that use
nsswitch such as Linux and FreeBSD (and before FreeBSD used nsswitch,
too).

These systems tried to copy the Solaris nsswitch scheme, but goofed up
horribly, and particularly Linux's nsswitch is utterly unreliable.

Linux's pam_unix2 and glibc nsswitch will happily and instantly return
NULL with errno == 0 from getpwnam() if the NIS domain isn't bound.

This makes temporary NIS blackouts (say, ypbind is in the process of
switching to another slave server if the server bound to formerly has
gone down) indistinguishable from a permanent error which also returns
NULL from getpwnam() with errno == 0 if the lookup succeeded and ended
up with a definitive "no such user".

glibc's nsswitch doesn't even set errno == EIO in this case (as is
documented) which might sell the application a clue something went
wrong.

FreeBSD behaves the same except that it keeps retrying for a few minutes
which will usually help across short-time temporary failures.

Only Solaris gets it right with its default of TRYAGAIN=forever which
neither Linux nor FreeBSD support. That makes Solaris retry forever on
temporary failures until it can come up with a definitive result.

I filed reports for these problems a long time ago, to no avail:

glibc: <http://sources.redhat.com/bugzilla/show_bug.cgi?id=430>
(Drepper shows he's neither understood the impact of the issue nor does
he know his own code.)

FreeBSD: <http://www.freebsd.org/cgi/query-pr.cgi?pr=bin/46866>
(No-one picked this up in 27 months.)

-- 
Matthias Andree


More information about the dovecot mailing list