From tiamat@komi.mts.ru  Tue Oct 21 03:07:56 2003
Return-Path: <tiamat@komi.mts.ru>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 5ED6116A4B3
	for <FreeBSD-gnats-submit@freebsd.org>; Tue, 21 Oct 2003 03:07:56 -0700 (PDT)
Received: from mandy.mts.ru (mandy.mts.ru [81.211.47.3])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 76D9543F75
	for <FreeBSD-gnats-submit@freebsd.org>; Tue, 21 Oct 2003 03:07:54 -0700 (PDT)
	(envelope-from tiamat@komi.mts.ru)
Received: from maeko.inside.mts.ru (maeko [192.168.10.3])
        by mandy.mts.ru  with SMTP id h9LA5aI16089
        for <FreeBSD-gnats-submit@freebsd.org>; Tue, 21 Oct 2003 14:05:36 +0400 (MSD)
Received: from stella.komi.mts.ru ([10.50.1.1])
 by maeko.inside.mts.ru (NAVGW 2.5.2.12) with SMTP id M2003102114075203095
 for <FreeBSD-gnats-submit@freebsd.org>; Tue, 21 Oct 2003 14:07:52 +0400
Received: from selma.komi.mts.ru (selma.komi.mts.ru [10.50.1.10])
	by stella.komi.mts.ru (MTS Komi/Smtp) with ESMTP id h9LA7qFn084834
	(version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO)
	for <FreeBSD-gnats-submit@freebsd.org>; Tue, 21 Oct 2003 14:07:52 +0400 (MSD)
	(envelope-from tiamat@selma.komi.mts.ru)
Received: from selma.komi.mts.ru (localhost [127.0.0.1])
	by selma.komi.mts.ru (8.12.10/8.12.10) with ESMTP id h9LA51cW008282
	for <FreeBSD-gnats-submit@freebsd.org>; Tue, 21 Oct 2003 14:05:01 +0400 (MSD)
	(envelope-from tiamat@selma.komi.mts.ru)
Received: (from tiamat@localhost)
	by selma.komi.mts.ru (8.12.10/8.12.10/Submit) id h9LA51rA008281;
	Tue, 21 Oct 2003 14:05:01 +0400 (MSD)
	(envelope-from tiamat)
Message-Id: <200310211005.h9LA51rA008281@selma.komi.mts.ru>
Date: Tue, 21 Oct 2003 14:05:01 +0400 (MSD)
From: Alex Deiter <tiamat@komi.mts.ru>
Reply-To: Alex Deiter <tiamat@komi.mts.ru>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: nss users cannot send mail via /usr/bin/mail or /usr/sbin/sendmail
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         58326
>Category:       bin
>Synopsis:       nss users cannot send mail via /usr/bin/mail or /usr/sbin/sendmail
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    gshapiro
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Oct 21 03:10:20 PDT 2003
>Closed-Date:    Sat Dec 11 22:53:25 GMT 2004
>Last-Modified:  Sat Dec 11 22:53:25 GMT 2004
>Originator:     Alex Deiter
>Release:        FreeBSD 5.1-CURRENT sparc64
>Organization:
MTS Komi
>Environment:
System: FreeBSD selma.komi.mts.ru 5.1-CURRENT FreeBSD 5.1-CURRENT #0: Wed Oct 15 13:53:52 MSD 2003 root@selma.komi.mts.ru:/home/obj/mnt/devel/ncvs/current/src/sys/MTS sparc64


>Description:

After tranfer users from /etc/passwd to ldap directory my users cannot 
send a mail from command line via /usr/bin/mail or /usr/sbin/sendmail 
programs (if MSP use AUTH):

ldap_user$ id
uid=1000(test) gid=1000(test) groups=1000(test)

ldap_user$ pw usershow test
test:*:1000:1000::0:0:test:/tmp:/bin/sh

ldap_user$ date | /usr/sbin/sendmail -v root
root... Connecting to [127.0.0.1] via relay...
220 server.komi.mts.ru ESMTP Sendmail 8.12.10/8.12.10; Tue, 21 Oct 2003 13:44:57 +0400 (MSD)
>How-To-Repeat:
create user in ldap directory:

dn: cn=test,dc=komi,dc=mts,dc=ru
cn: test
objectClass: posixAccount
objectClass: account
uid: test
userPassword: test
loginShell: /bin/sh
homeDirectory: /home/test
gecos: test
description: test
uidNumber: 1000
gidNumber: 1000

install ports/net/nss_ldap

create /etc/nsswitch.conf:
passwd: files ldap
group:  files ldap

check it:

# id test
uid=1000(test) gid=1000(test) groups=1000(test)

# pw usershow test
test:*:1000:1000::0:0:test:/home/test:/bin/sh

install ports/security/cyrus-sasl2

create /usr/local/lib/sasl2/Sendmail.conf:
pwcheck_method: auxprop
auxprop_plugin: sasldb

add in /etc/make.conf:
SENDMAIL_CFLAGS+=       -I/usr/local/include -DSASL=2
SENDMAIL_LDFLAGS+=      -L/usr/local/lib
SENDMAIL_LDADD+=        -lsasl2

and rebuild/reinstall sendmail

create /etc/mail/submit.mc:

divert(-1)
divert(0)dnl
VERSIONID(`$Id: submit.mc,v 8.6.2.7 2003/09/10 22:11:56 ca Exp $')
define(`confCF_VERSION', `Submit')dnl
define(`__OSTYPE__',`')dnl dirty hack to keep proto.m4 from complaining
define(`_USE_DECNET_SYNTAX_', `1')dnl support DECnet
define(`confTIME_ZONE', `USE_TZ')dnl
define(`confDONT_INIT_GROUPS', `True')dnl
define(`_REC_AUTH_', `_REC_FULL_AUTH_')
define(`confLOG_LEVEL', 25)
FEATURE(`authinfo', `hash -o /etc/mail/msp-authinfo')
FEATURE(`msp', `[127.0.0.1]')dnl

create /etc/mail/sendmail.mc:

divert(-1)
divert(0)
VERSIONID(`$FreeBSD: mc,v 1.28 2003/04/18 01:25:41 gshapiro Exp $')
OSTYPE(freebsd5)
FEATURE(access_db, `hash -o -T<TMPF> /etc/mail/access')
FEATURE(blacklist_recipients)
FEATURE(local_lmtp)
FEATURE(mailertable, `hash -o /etc/mail/mailertable')
define(`confBIND_OPTS', `WorkAroundBrokenAAAA')
define(`confNO_RCPT_ACTION', `add-to-undisclosed')
define(`confPRIVACY_FLAGS', `authwarnings,noexpn,novrfy')
define(`confLOG_LEVEL', 25)
define(`_REC_AUTH_', `_REC_FULL_AUTH_')
define(`confAUTH_MECHANISMS',`CRAM-MD5 DIGEST-MD5 NTLM LOGIN PLAIN')
TRUST_AUTH_MECH(`CRAM-MD5 DIGEST-MD5 NTLM LOGIN PLAIN')
MAILER(local)
MAILER(smtp)

LOCAL_RULESETS
SLocal_trust_auth
R$*     $: $&{auth_authen}
Rsmmsp  $# OK

rebuild sendmail.cf and submit.cf and restart sendmail

create /etc/mail/msp-authinfo (mode 0640, owner root, group smmsp):

AuthInfo:127.0.0.1      "U:smmsp" "P:smmsp" "M:PLAIN"

rebuild it with makemap:

# cd /etc/mail
# /usr/sbin/makemap hash msp-authinfo.db < msp-authinfo
# chown root:smmsp msp-authinfo.db msp-authinfo
# chmod 0640 msp-authinfo.db msp-authinfo

create records in /usr/local/etc/sasldb2:

# echo smmsp | saslpasswd2 -p smmsp
# echo test | saslpasswd2 -p test

check it:

# sasldblistusers2
smmsp@server.komi.mts.ru: userPassword
test@server.komi.mts.ru: userPassword

send mail via /usr/bin/sendmail as any user from /etc/passwd:

$ date|/usr/sbin/sendmail -v root
root... Connecting to [127.0.0.1] via relay...
220 server.komi.mts.ru ESMTP Sendmail 8.12.10/8.12.10; Tue, 21 Oct 2003 17:42:52 +0400 (MSD)
>Fix:
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->gshapiro 
Responsible-Changed-By: gshapiro 
Responsible-Changed-When: Fri Jul 16 17:32:21 GMT 2004 
Responsible-Changed-Why:  
Take ownership of this sendmail-related bug. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=58326 
State-Changed-From-To: open->analyzed 
State-Changed-By: gshapiro 
State-Changed-When: Sat Dec 11 03:07:53 GMT 2004 
State-Changed-Why:  
In order to debug this, please try: 

date | sendmail -v -d44.4 -OLogLevel=12 root 

And send both the output from that command and the logs in /var/log/maillog 
from just that attempt (not the entire log file). 


http://www.freebsd.org/cgi/query-pr.cgi?pr=58326 
State-Changed-From-To: analyzed->closed 
State-Changed-By: gshapiro 
State-Changed-When: Sat Dec 11 22:52:36 GMT 2004 
State-Changed-Why:  
From: ?????? ????????? ?????????? <tiamat@komi.mts.ru> 
To: Gregory Neil Shapiro <gshapiro@FreeBSD.org> 
Subject: Re: bin/58326: nss users cannot send mail via /usr/bin/mail or /usr/sbin/sendmail 
Date: Sat, 11 Dec 2004 11:10:41 +0300 

i'm sorry: on my current configuration: FreeBSD 5.3/Sendmail 8.13.1 and 
FreeBSD 5.2.1/Sendmail 8.12.10 i cannot reproduce this error: 

nss_user$ date | /usr/sbin/sendmail -v root 
root... Connecting to [127.0.0.1] via relay... 
220 samba.komi.mts.ru ESMTP Sendmail 8.13.1/8.13.1; Sat, 11 Dec 2004 
10:48:33 +0300 (MSK) 
>Unformatted:
 >>> EHLO samba.komi.mts.ru 
 250-samba.komi.mts.ru Hello localhost.komi.mts.ru [127.0.0.1], pleased 
 to meet you 
 250-ENHANCEDSTATUSCODES 
 250-PIPELINING 
 250-8BITMIME 
 250-SIZE 
 250-DSN 
 250-ETRN 
 250-AUTH CRAM-MD5 DIGEST-MD5 NTLM LOGIN PLAIN 
 250-DELIVERBY 
 250 HELP 
 >>> AUTH PLAIN c21tc3AAc21tc3AAc21tc3A= 
 235 2.0.0 OK Authenticated 
 >>> MAIL From:<tiamat@samba.komi.mts.ru> SIZE=29 
 AUTH=tiamat@samba.komi.mts.ru 
 250 2.1.0 <tiamat@samba.komi.mts.ru>... Sender ok 
 >>> RCPT To:<root@samba.komi.mts.ru> 
 >>> DATA 
 250 2.1.5 <root@samba.komi.mts.ru>... Recipient ok 
 354 Enter mail, end with "." on a line by itself 
 >>> . 
 250 2.0.0 iBB7mXM9051456 Message accepted for delivery 
 root... Sent (iBB7mXM9051456 Message accepted for delivery) 
 Closing connection to [127.0.0.1] 
 >>> QUIT 
 221 2.0.0 samba.komi.mts.ru closing connection 
 
 Thanks a lot! 
 
 -- 
 Alex Deiter 
 
 
 http://www.freebsd.org/cgi/query-pr.cgi?pr=58326 
 >>> EHLO server.komi.mts.ru
 250-server.komi.mts.ru Hello localhost [127.0.0.1], pleased to meet you
 250-ENHANCEDSTATUSCODES
 250-PIPELINING
 250-8BITMIME
 250-SIZE
 250-DSN
 250-ETRN
 250-AUTH CRAM-MD5 DIGEST-MD5 NTLM LOGIN PLAIN
 250-DELIVERBY
 250 HELP
 >>> QUIT
 221 2.0.0 server.komi.mts.ru closing connection
 root... Deferred: Temporary AUTH failure
 Closing connection to [127.0.0.1]
 
 But any user from /etc/passwd can successfully send mail from command line
 via /usr/bin/mail or /usr/sbin/sendmail programs (if MSP use AUTH):
 
 $ id
 uid=70(pgsql) gid=70(pgsql) groups=70(pgsql)
 
 $ pw usershow pgsql
 pgsql:*:70:70::0:0:PostgreSQL Daemon:/usr/local/pgsql:/bin/sh
 
 $ date|/usr/sbin/sendmail -v root
 root... Connecting to [127.0.0.1] via relay...
 220 server.komi.mts.ru ESMTP Sendmail 8.12.10/8.12.10; Tue, 21 Oct 2003 13:51:05 +0400 (MSD)
 >>> EHLO server.komi.mts.ru
 250-server.komi.mts.ru Hello localhost [127.0.0.1], pleased to meet you
 250-ENHANCEDSTATUSCODES
 250-PIPELINING
 250-8BITMIME
 250-SIZE
 250-DSN
 250-ETRN
 250-AUTH CRAM-MD5 DIGEST-MD5 NTLM LOGIN PLAIN
 250-DELIVERBY
 250 HELP
 >>> AUTH PLAIN c21tc3AAc21tc3AAc21tc3A=
 235 2.0.0 OK Authenticated
 >>> MAIL From:<pgsql@server.komi.mts.ru> SIZE=29 AUTH=pgsql@server.komi.mts.ru
 250 2.1.0 <pgsql@server.komi.mts.ru>... Sender ok
 >>> RCPT To:<root@server.komi.mts.ru>
 >>> DATA
 250 2.1.5 <root@server.komi.mts.ru>... Recipient ok
 354 Enter mail, end with "." on a line by itself
 >>> .
 250 2.0.0 h9L9p5XM000790 Message accepted for delivery
 root... Sent (h9L9p5XM000790 Message accepted for delivery)
 Closing connection to [127.0.0.1]
 >>> QUIT
 221 2.0.0 server.komi.mts.ru closing connection
 
 AUTH PLAIN c21tc3AAc21tc3AAc21tc3A= - is authinfo for user smmsp (smmsp\0smmsp\0smmsp):
 
 # perl -e 'use MIME::Base64;print decode_base64("c21tc3AAc21tc3AAc21tc3A="), "\n";'
 smmspsmmspsmmsp
 
 
 >>> EHLO server.komi.mts.ru
 250-server.komi.mts.ru Hello localhost [127.0.0.1], pleased to meet you
 250-ENHANCEDSTATUSCODES
 250-PIPELINING
 250-8BITMIME
 250-SIZE
 250-DSN
 250-ETRN
 250-AUTH CRAM-MD5 DIGEST-MD5 NTLM LOGIN PLAIN
 250-DELIVERBY
 250 HELP
 >>> AUTH PLAIN c21tc3AAc21tc3AAc21tc3A=
 235 2.0.0 OK Authenticated
 >>> MAIL From:<pgsql@server.komi.mts.ru> SIZE=29 AUTH=pgsql@server.komi.mts.ru
 250 2.1.0 <pgsql@server.komi.mts.ru>... Sender ok
 >>> RCPT To:<root@server.komi.mts.ru>
 >>> DATA
 250 2.1.5 <root@server.komi.mts.ru>... Recipient ok
 354 Enter mail, end with "." on a line by itself
 >>> .
 250 2.0.0 h9LDgqRA001177 Message accepted for delivery
 root... Sent (h9LDgqRA001177 Message accepted for delivery)
 Closing connection to [127.0.0.1]
 >>> QUIT
 221 2.0.0 server.komi.mts.ru closing connection
 
 Try to send mail via SMTP with SMTP AUTH as user test:
 
 $ perl -e 'use MIME::Base64; print encode_base64("test\0test\0test");'
 dGVzdAB0ZXN0AHRlc3Q=
 
 $ telnet localhost 25
 Trying 127.0.0.1...
 Connected to localhost.
 Escape character is '^]'.
 220 server.komi.mts.ru ESMTP Sendmail 8.12.10/8.12.10; Tue, 21 Oct 2003 17:48:58 +0400 (MSD)
 ehlo test
 250-server.komi.mts.ru Hello localhost [127.0.0.1], pleased to meet you
 250-ENHANCEDSTATUSCODES
 250-PIPELINING
 250-8BITMIME
 250-SIZE
 250-DSN
 250-ETRN
 250-AUTH CRAM-MD5 DIGEST-MD5 NTLM LOGIN PLAIN
 250-DELIVERBY
 250 HELP
 AUTH PLAIN dGVzdAB0ZXN0AHRlc3Q=
 235 2.0.0 OK Authenticated
 MAIL From:test@server.komi.mts.ru
 250 2.1.0 test@server.komi.mts.ru... Sender ok
 RCPT To:root@server.komi.mts.ru
 250 2.1.5 root@server.komi.mts.ru... Recipient ok
 DATA
 354 Enter mail, end with "." on a line by itself
 test
 .
 250 2.0.0 h9LDmwRA001214 Message accepted for delivery
 quit
 221 2.0.0 server.komi.mts.ru closing connection
 Connection closed by foreign host.
 
 Work fine.
 
 Try to send mail via /usr/bin/mail or /usr/sbin/sendmail as user test:
 
 test$ id
 uid=1000(test) gid=1000(test) groups=1000(test)
 
 test$ date | /usr/sbin/sendmail -v root
 root... Connecting to [127.0.0.1] via relay...
 220 server.komi.mts.ru ESMTP Sendmail 8.12.10/8.12.10; Tue, 21 Oct 2003 17:52:23 +0400 (MSD)
 >>> EHLO server.komi.mts.ru
 250-server.komi.mts.ru Hello localhost [127.0.0.1], pleased to meet you
 250-ENHANCEDSTATUSCODES
 250-PIPELINING
 250-8BITMIME
 250-SIZE
 250-DSN
 250-ETRN
 250-AUTH CRAM-MD5 DIGEST-MD5 NTLM LOGIN PLAIN
 250-DELIVERBY
 250 HELP
 >>> QUIT
 221 2.0.0 server.komi.mts.ru closing connection
 root... Deferred: Temporary AUTH failure
 Closing connection to [127.0.0.1]
 
 
 Thanks for your patience!
 
