Re: [exim] smtp auth, NIS and lookups.

Top Page
Delete this message
Reply to this message
Author: Jasper Wallace
Date:  
To: exim-users
Old-Topics: Re: [exim] smtp auth, NIS and lookups.
Subject: Re: [exim] smtp auth, NIS and lookups.

Phil Pennock wrote:

On 2009-06-24 at 14:28 +0100, Jasper Wallace wrote:


This is Exim version 4.63 #1 built 20-Jan-2007 10:42:32 running on
Debian GNU/Linux 4.0.

I'm trying to set up plain and login authenticators with the username
and password being looked up in nis. nis uses salted md5 passwords (the
$1$salt$hash type), these are supported by the local crypt() functions.

This works:

exim4 -d+all -be '${if
crypteq{MYPASSWORD}{${extract{2}{:}{${lookup{jasper}nis{shadow.byname}}}}}}'

but in the authenticators when testing with -bh and this server_condition:

 server_condition = \
        ${if
crypteq{MYPASSWORD}{${extract{2}{:}{${lookup{jasper}nis{shadow.byname}}}}} \
         }


i get

14:21:34 8620 search_open: nis "shadow.byname"
14:21:34 8620 search_find: file="shadow.byname"
14:21:34 8620 key="jasper" partial=-1 affix=NULL starflags=0
14:21:34 8620 LRU list:
14:21:34 8620 internal_search_find: file="shadow.byname"
14:21:34 8620 type=nis key="jasper"
14:21:34 8620 file lookup required for jasper
14:21:34 8620 in shadow.byname
14:21:34 8620 lookup failed

So any idea why nis fails in the authenticator, but not expansion testing?


It's been a decade since I last saw NIS used, so I can only guess, but:

Permissions.

You're doing the testing as the invoking user, and I suspect that's root.

The authenticator will have dropped permissions to user "exim", or
somesuch -- on Debian I believe it's "exim4" and you don't have access
for the Exim user to the NIS shadow map.

Some quick searching shows that "yp_mkdb" takes the "-s" flag, which
sets a YP_SECURE key in the database which ypserv uses to prevent
querying the map unless the client source port is <1024.


[Apologies for the thread necroscopy, replying to this now incase
anyone finds it in the archives]
Yes, thats exactly what the problem is. I fixed it by allowing exim to
run ypmatch via sudo with no password via adding this to /etc/sudoers:
exim ALL=NOPASSWD: /usr/bin/ypmatch

   and then in the authenticators using:
 server_condition = "${if and { \
                        {!eq{$2}{}} \
                        {!eq{$3}{}} \
                        { or { \
                                {crypteq{$3}{${extract{2}{:}{${run{/usr/bin/sud
o ypmatch $2 shadow.byname}}}}} } \
                                {and { {eq{$2}{USERNAME}} {eq{$3}{PASSWORD}} }}
 \
                        } \  } \
                     } }"


USERNAME and PASSWORD where the username and password all the clients
used until i put this in place instead.
begin:vcard
fn:Jasper Wallace
n:Wallace;Jasper
email;internet:jasper@???
tel;home:+44 (0)1306 877705
x-mozilla-html:FALSE
version:2.1
end:vcard