Hi again,
last round i think:
There is a new hints for denying user login on a server in
a system running NIS (look at the end of this mail for more info):
One idea would be to go back to using the compat mode and instead of
using:
+:x:::::
use
+::::::/etc/privlogin
Where privlogin is:
-- cut here --
#!/bin/grep ^[^#]
***********************************
***********************************
** This is a restricted machine. **
** No logins allowed! **
***********************************
***********************************
-- cut here --
Here you have access to the passwords but no login shell on the fileserver.
You see only this message.
But i read in Sun manpages, Sun will stop the compat mode in future
releases ... i will use it now.
Other opinions have to do with the art of systemmanagement:
Useraccess on a fileserver yes or no, splitting services on
several hosts, second password database and so on.
My personal problem is, i have to put services running on 3 hosts
for now over 6 years on one new host and i learn, i have to change
many things, especially some some systemmanagement tasks.
Detlev
Many thanx again to:
Willem Ave <willem@unnamed.nu>
Jay Lessert <jayl@latticesemi.com>
"John T. Douglass" <john.douglass@anlw.anl.gov>
Hans Schaechl <schaechl@bigfoot.com>
------------- Begin Forwarded Message -------------
[...]
Hi all,
this was my my first summary and now i found my mistake:
>
> i have to test Suns POP-Server on a new system running Solaris 7 with NIS.
> I have installed SIMS 2.0 and also the license.
>
> When i test via telnet i see this:
>
> ~ (testuser@werner) 11 >telnet akira pop3
> Trying 130.75.57.34...
> Connected to akira.
> Escape character is '^]'.
> +OK akira Solstice (tm) Internet Mail Server (tm) POP3 2.0 p11 at Mon, 14 Aug
2000 17:17:00 +0200 (MET DST)
> user testuser
> +OK User name accepted, password please
> pass nnnnnnnnnn
> -ERR Bad login
>
> In /var/log/syslog i see only this:
>
> Aug 14 17:17:13 akira ipop3d[21130]: Login failure user=testuser host=werner
>
>
> Of course, not very much information. On a Qualcomm-Server on the
> old host this way of testing works. I found only a small
> manpage and no other docs. The testuser exist and i know the
> right password ...
>
> So, any hints where i have to look? Are there any important systemfiles?
> Any more docs available (i checked the CDs, docs.sun.com)? How to
> debug the pop-server?
>
The pop3-daemon works. I have a NIS problem. In my old system the mailserver
is running on a normal host embedded in my NIS structure. So the pop3-daemon
has access to the NIS database and can check the user accounts.
For my new system i put the pop3-daemon (and the new mailserver) on a
fileserver. On this fileserver i deny user access in this way:
/etc/passwd:
root:x:0:1:Super-User:/:/sbin/sh
[...]
noaccess:x:60002:60002:No Access User:/:
nobody4:x:65534:65534:SunOS 4.x Nobody:/:
ppp:x:10:5:Solstice PPP 3.0 pppls:/:/usr/sbin/pppls
+:x:::::
/etc/nsswitch.conf:
[...]
passwd: compat
[...]
This is a good way to prevent user access to this fileserver, but when
you are login as root you can see user und group names und you can su
to a user account.
pop3-daemons don't like this.
When i change nsswitch.conf to "passwd: files nis" everything is
working, but also user access ...
So i have to think about a new way of user authentication for pop3.
Are there any patches available to have access to a passwd-file
other than /etc/passwd???
Detlev
[...]
------------- End Forwarded Message -------------
-- Detlev | Institut fuer Mikroelektronische Systeme, Uni Hannover Habicht | D-30167 Hannover +49 511 76219662 habicht@ims.uni-hannover.de --------+-------- Handy +49 172 5415752 ---------------------------S U BEFORE POSTING please READ the FAQ located at N ftp://ftp.cs.toronto.edu/pub/jdd/sun-managers/faq . and the list POLICY statement located at M ftp://ftp.cs.toronto.edu/pub/jdd/sun-managers/policy A To submit questions/summaries to this list send your email message to: N sun-managers@ececs.uc.edu A To unsubscribe from this list please send an email message to: G majordomo@sunmanagers.ececs.uc.edu E and in the BODY type: R unsubscribe sun-managers S Or . unsubscribe sun-managers original@subscription.address L To view an archive of this list please visit: I http://www.latech.edu/sunman.html S T
This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:14:14 CDT