On 2009-06-24 at 14:28 +0100, Jasper Wallace wrote:
> This is Exim version 4.63 #1 built 20-Jan-2007 10:42:32 running on
> Debian GNU/Linux 4.0.
>
> I'm trying to set up plain and login authenticators with the username
> and password being looked up in nis. nis uses salted md5 passwords (the
> $1$salt$hash type), these are supported by the local crypt() functions.
>
> This works:
>
> exim4 -d+all -be '${if
> crypteq{MYPASSWORD}{${extract{2}{:}{${lookup{jasper}nis{shadow.byname}}}}}}'
>
> but in the authenticators when testing with -bh and this server_condition:
>
> server_condition = \
> ${if
> crypteq{MYPASSWORD}{${extract{2}{:}{${lookup{jasper}nis{shadow.byname}}}}} \
> }
>
> i get
>
> 14:21:34 8620 search_open: nis "shadow.byname"
> 14:21:34 8620 search_find: file="shadow.byname"
> 14:21:34 8620 key="jasper" partial=-1 affix=NULL starflags=0
> 14:21:34 8620 LRU list:
> 14:21:34 8620 internal_search_find: file="shadow.byname"
> 14:21:34 8620 type=nis key="jasper"
> 14:21:34 8620 file lookup required for jasper
> 14:21:34 8620 in shadow.byname
> 14:21:34 8620 lookup failed
>
> So any idea why nis fails in the authenticator, but not expansion testing?
It's been a decade since I last saw NIS used, so I can only guess, but:
Permissions.
You're doing the testing as the invoking user, and I suspect that's root.
The authenticator will have dropped permissions to user "exim", or
somesuch -- on Debian I believe it's "exim4" and you don't have access
for the Exim user to the NIS shadow map.
Some quick searching shows that "yp_mkdb" takes the "-s" flag, which
sets a YP_SECURE key in the database which ypserv uses to prevent
querying the map unless the client source port is <1024.
-Phil
