Mailing List Archive

Exim, NSS, winbind...
This is a strange thing.

I'm (ab)used to use Samba in mixed environment (Linux/Windows), in NT mode,
using LDAP as backend, exporting users to NSS via libnss-ldap(d), using also
nscd that do some caching.

Usually the mail server is also the samba server, so it is hard to have
users ''desappear'' in NSS.


Now i'm (quickly) moving to samba in AD mode, where the ''LDAP'' server (the
AD DC) is in a different host from the mailserver, and where users are
exported to NSS via winbind.
I've also NOT installed nscd, because winbind have their caching mechanism:
https://wiki.samba.org/index.php/PAM_Offline_Authentication

and because it is advised by samba folks not to do so.


I've tried to enable offline logon on a portable system, and works as
expected (eg, i can disconnect it and i can still logon, so NSS and PAM data
are correctly ''cached''). Or seems that.


But some weeks ago i've done a general maintenance of my infrastructure, and
i've discovered that exim refuse to deliver to some recipient because users
are not known.
Mail server was temporarly (more then 60 seconds) disconnected from domain
controllers.


I need to do more tests, but before hitting my head on the wall, i'm asking
here if there's some 'known' drawbacks of using exim with NSS/Winbind
caching, or something like that.


Thanks.

--
Uno dei pi? grossi problemi di questo paese ? che la maggioranza delle
importazioni vengono dall'estero. (George W. Bush)



--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Exim, NSS, winbind... [ In reply to ]
On Wed, 30 Jan 2019, Marco Gaiarin via Exim-users wrote:

> But some weeks ago i've done a general maintenance of my infrastructure, and
> i've discovered that exim refuse to deliver to some recipient because users
> are not known.
> …
> I need to do more tests, but before hitting my head on the wall, i'm asking
> here if there's some 'known' drawbacks of using exim with NSS/Winbind
> caching, or something like that.

I have not looked 'into' exim (sources), but something similar happened
here with the change to NSS. After the switch from using 'pam with ldap'
to 'pam + NSS with the same ldap', the simple line 'getent passwd'
(i.e. routines 'getpwent', 'setpwent', 'endpwent') did show *only*
the cached users!
So every program could find users 'explicitly' by asking for an uid or
user-name, but no more by 'getting all and then searching internally'.

So IF exim too does the latter, it will see only the 'once been logged in'
users (plus all the locals in /etc/passwd).

Stucki


--
Christoph von Stuckrad * * | also XMPP = |Mail <stucki@mi.fu-berlin.de> \
Freie Universitaet Berlin |/_*| 'jabber' via|Tel(Mo.,Mi.):+49 30 838-75 459|
IT Mathematik & Informatik|\ *|stucki@jabber| (Di,Do,Fr):+49 30 77 39 6600|
Takustr. 9 / 14195 Berlin * * |.fu-berlin.de|Fax(home): +49 30 77 39 6601/


--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Exim, NSS, winbind... [ In reply to ]
Mandi! Chr. von Stuckrad via Exim-users
In chel di` si favelave...

> I have not looked 'into' exim (sources), but something similar happened
> here with the change to NSS. After the switch from using 'pam with ldap'
> to 'pam + NSS with the same ldap', the simple line 'getent passwd'
> (i.e. routines 'getpwent', 'setpwent', 'endpwent') did show *only*
> the cached users!
> So every program could find users 'explicitly' by asking for an uid or
> user-name, but no more by 'getting all and then searching internally'.

Mmm... interesting...

Effectively winbind have, by default, 'user and group enumeration' disabled
by default, eg, as yoiu sayed, a 'getenet passwd' return nothing (apart
/etc/passwd) but 'getent passwd gaio' return... me. ;)

But still is strange: if this is the case, i will have users delivery
trouble *ever*, and not only in domain controller connection trouble.


So, still seeking feedback...

--
Io ammiro gli americani per come fanno le trattative: prima di tutto
pensano a se stessi, poi a se stessi, e solo alla fine a se stessi.
(Ignacio Lula da Silva)



--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: Exim, NSS, winbind... [ In reply to ]
Marco Gaiarin via Exim-users <exim-users@exim.org> (Mi 30 Jan 2019 17:06:55 CET):
>
> But some weeks ago i've done a general maintenance of my infrastructure, and
> i've discovered that exim refuse to deliver to some recipient because users
> are not known.
> Mail server was temporarly (more then 60 seconds) disconnected from domain
> controllers.

How does your Exim decide, if the user is known? Can you post the
router(s), that are responsible for your local users?

--
Heiko
Re: Exim, NSS, winbind... [ In reply to ]
Mandi! Heiko Schlittermann via Exim-users
In chel di` si favelave...

> How does your Exim decide, if the user is known? Can you post the
> router(s), that are responsible for your local users?

Pretty standard debian routers.

I've added a big section of LDAP routers, but are only for internal user
aliases, they return in any case a 'login'.

Effectivaly the errors are thrown on the phisical mailboxes, not on the
aliases, eg:
2019-02-11 14:02:34 1gtBEG-0006lw-Qm ** admin123@fvg.lnf.it F=<admin123@pp.lnf.it>: Unrouteable address

where 'admin123@fvg.lnf.it' is the real mailbox, 'admin123@pp.lnf.it' is the
original destination, expanded by LDAP.

The finel delivery are these routers:

procmail:
debug_print = "R: procmail for $local_part@$domain"
driver = accept
local_part_suffix = +*
local_part_suffix_optional
domains = +local_domains
check_local_user
transport = procmail_pipe
# emulate OR with "if exists"-expansion
require_files = ${local_part}:${home}:\
${if exists{/etc/procmailrc}\
{/etc/procmailrc}{${home}/.procmailrc}}:\
+/usr/bin/procmail
no_verify
no_expn


local_user:
debug_print = "R: local_user for $local_part@$domain"
driver = accept
local_part_suffix = +*
local_part_suffix_optional
domains = +local_domains
check_local_user
local_parts = ! root
transport = LOCAL_DELIVERY
require_files = ${local_part}:${home}
cannot_route_message = Unknown user

but i think never match, because user does not exist, so ${home}, and router
are skipped (so the 'Unrouteable address').

--
Nobody expects the Bavarian inquisition!
(Anonimo, 19/4/2005)



--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/