bin/58326: nss users cannot send mail via /usr/bin/mail or
/usr/sbin/sendmail
Alex Deiter
tiamat at komi.mts.ru
Tue Oct 21 03:10:23 PDT 2003
>Number: 58326
>Category: bin
>Synopsis: nss users cannot send mail via /usr/bin/mail or /usr/sbin/sendmail
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Tue Oct 21 03:10:20 PDT 2003
>Closed-Date:
>Last-Modified:
>Originator: Alex Deiter
>Release: FreeBSD 5.1-CURRENT sparc64
>Organization:
MTS Komi
>Environment:
System: FreeBSD selma.komi.mts.ru 5.1-CURRENT FreeBSD 5.1-CURRENT #0: Wed Oct 15 13:53:52 MSD 2003 root at selma.komi.mts.ru:/home/obj/mnt/devel/ncvs/current/src/sys/MTS sparc64
>Description:
After tranfer users from /etc/passwd to ldap directory my users cannot
send a mail from command line via /usr/bin/mail or /usr/sbin/sendmail
programs (if MSP use AUTH):
ldap_user$ id
uid=1000(test) gid=1000(test) groups=1000(test)
ldap_user$ pw usershow test
test:*:1000:1000::0:0:test:/tmp:/bin/sh
ldap_user$ date | /usr/sbin/sendmail -v root
root... Connecting to [127.0.0.1] via relay...
220 server.komi.mts.ru ESMTP Sendmail 8.12.10/8.12.10; Tue, 21 Oct 2003 13:44:57 +0400 (MSD)
>How-To-Repeat:
create user in ldap directory:
dn: cn=test,dc=komi,dc=mts,dc=ru
cn: test
objectClass: posixAccount
objectClass: account
uid: test
userPassword: test
loginShell: /bin/sh
homeDirectory: /home/test
gecos: test
description: test
uidNumber: 1000
gidNumber: 1000
install ports/net/nss_ldap
create /etc/nsswitch.conf:
passwd: files ldap
group: files ldap
check it:
# id test
uid=1000(test) gid=1000(test) groups=1000(test)
# pw usershow test
test:*:1000:1000::0:0:test:/home/test:/bin/sh
install ports/security/cyrus-sasl2
create /usr/local/lib/sasl2/Sendmail.conf:
pwcheck_method: auxprop
auxprop_plugin: sasldb
add in /etc/make.conf:
SENDMAIL_CFLAGS+= -I/usr/local/include -DSASL=2
SENDMAIL_LDFLAGS+= -L/usr/local/lib
SENDMAIL_LDADD+= -lsasl2
and rebuild/reinstall sendmail
create /etc/mail/submit.mc:
divert(-1)
divert(0)dnl
VERSIONID(`$Id: submit.mc,v 8.6.2.7 2003/09/10 22:11:56 ca Exp $')
define(`confCF_VERSION', `Submit')dnl
define(`__OSTYPE__',`')dnl dirty hack to keep proto.m4 from complaining
define(`_USE_DECNET_SYNTAX_', `1')dnl support DECnet
define(`confTIME_ZONE', `USE_TZ')dnl
define(`confDONT_INIT_GROUPS', `True')dnl
define(`_REC_AUTH_', `_REC_FULL_AUTH_')
define(`confLOG_LEVEL', 25)
FEATURE(`authinfo', `hash -o /etc/mail/msp-authinfo')
FEATURE(`msp', `[127.0.0.1]')dnl
create /etc/mail/sendmail.mc:
divert(-1)
divert(0)
VERSIONID(`$FreeBSD: mc,v 1.28 2003/04/18 01:25:41 gshapiro Exp $')
OSTYPE(freebsd5)
FEATURE(access_db, `hash -o -T<TMPF> /etc/mail/access')
FEATURE(blacklist_recipients)
FEATURE(local_lmtp)
FEATURE(mailertable, `hash -o /etc/mail/mailertable')
define(`confBIND_OPTS', `WorkAroundBrokenAAAA')
define(`confNO_RCPT_ACTION', `add-to-undisclosed')
define(`confPRIVACY_FLAGS', `authwarnings,noexpn,novrfy')
define(`confLOG_LEVEL', 25)
define(`_REC_AUTH_', `_REC_FULL_AUTH_')
define(`confAUTH_MECHANISMS',`CRAM-MD5 DIGEST-MD5 NTLM LOGIN PLAIN')
TRUST_AUTH_MECH(`CRAM-MD5 DIGEST-MD5 NTLM LOGIN PLAIN')
MAILER(local)
MAILER(smtp)
LOCAL_RULESETS
SLocal_trust_auth
R$* $: $&{auth_authen}
Rsmmsp $# OK
rebuild sendmail.cf and submit.cf and restart sendmail
create /etc/mail/msp-authinfo (mode 0640, owner root, group smmsp):
AuthInfo:127.0.0.1 "U:smmsp" "P:smmsp" "M:PLAIN"
rebuild it with makemap:
# cd /etc/mail
# /usr/sbin/makemap hash msp-authinfo.db < msp-authinfo
# chown root:smmsp msp-authinfo.db msp-authinfo
# chmod 0640 msp-authinfo.db msp-authinfo
create records in /usr/local/etc/sasldb2:
# echo smmsp | saslpasswd2 -p smmsp
# echo test | saslpasswd2 -p test
check it:
# sasldblistusers2
smmsp at server.komi.mts.ru: userPassword
test at server.komi.mts.ru: userPassword
send mail via /usr/bin/sendmail as any user from /etc/passwd:
$ date|/usr/sbin/sendmail -v root
root... Connecting to [127.0.0.1] via relay...
220 server.komi.mts.ru ESMTP Sendmail 8.12.10/8.12.10; Tue, 21 Oct 2003 17:42:52 +0400 (MSD)
>Fix:
>Release-Note:
>Audit-Trail:
>Unformatted:
>>> EHLO server.komi.mts.ru
250-server.komi.mts.ru Hello localhost [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH CRAM-MD5 DIGEST-MD5 NTLM LOGIN PLAIN
250-DELIVERBY
250 HELP
>>> QUIT
221 2.0.0 server.komi.mts.ru closing connection
root... Deferred: Temporary AUTH failure
Closing connection to [127.0.0.1]
But any user from /etc/passwd can successfully send mail from command line
via /usr/bin/mail or /usr/sbin/sendmail programs (if MSP use AUTH):
$ id
uid=70(pgsql) gid=70(pgsql) groups=70(pgsql)
$ pw usershow pgsql
pgsql:*:70:70::0:0:PostgreSQL Daemon:/usr/local/pgsql:/bin/sh
$ date|/usr/sbin/sendmail -v root
root... Connecting to [127.0.0.1] via relay...
220 server.komi.mts.ru ESMTP Sendmail 8.12.10/8.12.10; Tue, 21 Oct 2003 13:51:05 +0400 (MSD)
>>> EHLO server.komi.mts.ru
250-server.komi.mts.ru Hello localhost [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH CRAM-MD5 DIGEST-MD5 NTLM LOGIN PLAIN
250-DELIVERBY
250 HELP
>>> AUTH PLAIN c21tc3AAc21tc3AAc21tc3A=
235 2.0.0 OK Authenticated
>>> MAIL From:<pgsql at server.komi.mts.ru> SIZE=29 AUTH=pgsql at server.komi.mts.ru
250 2.1.0 <pgsql at server.komi.mts.ru>... Sender ok
>>> RCPT To:<root at server.komi.mts.ru>
>>> DATA
250 2.1.5 <root at server.komi.mts.ru>... Recipient ok
354 Enter mail, end with "." on a line by itself
>>> .
250 2.0.0 h9L9p5XM000790 Message accepted for delivery
root... Sent (h9L9p5XM000790 Message accepted for delivery)
Closing connection to [127.0.0.1]
>>> QUIT
221 2.0.0 server.komi.mts.ru closing connection
AUTH PLAIN c21tc3AAc21tc3AAc21tc3A= - is authinfo for user smmsp (smmsp\0smmsp\0smmsp):
# perl -e 'use MIME::Base64;print decode_base64("c21tc3AAc21tc3AAc21tc3A="), "\n";'
smmspsmmspsmmsp
>>> EHLO server.komi.mts.ru
250-server.komi.mts.ru Hello localhost [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH CRAM-MD5 DIGEST-MD5 NTLM LOGIN PLAIN
250-DELIVERBY
250 HELP
>>> AUTH PLAIN c21tc3AAc21tc3AAc21tc3A=
235 2.0.0 OK Authenticated
>>> MAIL From:<pgsql at server.komi.mts.ru> SIZE=29 AUTH=pgsql at server.komi.mts.ru
250 2.1.0 <pgsql at server.komi.mts.ru>... Sender ok
>>> RCPT To:<root at server.komi.mts.ru>
>>> DATA
250 2.1.5 <root at server.komi.mts.ru>... Recipient ok
354 Enter mail, end with "." on a line by itself
>>> .
250 2.0.0 h9LDgqRA001177 Message accepted for delivery
root... Sent (h9LDgqRA001177 Message accepted for delivery)
Closing connection to [127.0.0.1]
>>> QUIT
221 2.0.0 server.komi.mts.ru closing connection
Try to send mail via SMTP with SMTP AUTH as user test:
$ perl -e 'use MIME::Base64; print encode_base64("test\0test\0test");'
dGVzdAB0ZXN0AHRlc3Q=
$ telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 server.komi.mts.ru ESMTP Sendmail 8.12.10/8.12.10; Tue, 21 Oct 2003 17:48:58 +0400 (MSD)
ehlo test
250-server.komi.mts.ru Hello localhost [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH CRAM-MD5 DIGEST-MD5 NTLM LOGIN PLAIN
250-DELIVERBY
250 HELP
AUTH PLAIN dGVzdAB0ZXN0AHRlc3Q=
235 2.0.0 OK Authenticated
MAIL From:test at server.komi.mts.ru
250 2.1.0 test at server.komi.mts.ru... Sender ok
RCPT To:root at server.komi.mts.ru
250 2.1.5 root at server.komi.mts.ru... Recipient ok
DATA
354 Enter mail, end with "." on a line by itself
test
.
250 2.0.0 h9LDmwRA001214 Message accepted for delivery
quit
221 2.0.0 server.komi.mts.ru closing connection
Connection closed by foreign host.
Work fine.
Try to send mail via /usr/bin/mail or /usr/sbin/sendmail as user test:
test$ id
uid=1000(test) gid=1000(test) groups=1000(test)
test$ date | /usr/sbin/sendmail -v root
root... Connecting to [127.0.0.1] via relay...
220 server.komi.mts.ru ESMTP Sendmail 8.12.10/8.12.10; Tue, 21 Oct 2003 17:52:23 +0400 (MSD)
>>> EHLO server.komi.mts.ru
250-server.komi.mts.ru Hello localhost [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH CRAM-MD5 DIGEST-MD5 NTLM LOGIN PLAIN
250-DELIVERBY
250 HELP
>>> QUIT
221 2.0.0 server.komi.mts.ru closing connection
root... Deferred: Temporary AUTH failure
Closing connection to [127.0.0.1]
Thanks for your patience!
More information about the freebsd-bugs
mailing list