at and cron vs. ldap

Bevan C. Bennett bevan at fulcrummicro.com
Thu Jan 8 17:38:30 UTC 2004 

Stephen Walton wrote:

> All good questions.  MTA is dead simple though, as I'm not running a 
> server;  DS in sendmail.cf is used to define our campus SMTP master as a 
> smart mail forwarder.  I only see the problem behavior on our LDAP 
> clients, though, not on our server, which seems an important clue.  
> There is no output whatsoever in /var/log/maillog.  I can't exclude an 
> error in ldap.conf or pam.d/system-auth although they are the ones 
> created by redhat-config-authentication pretty much.

This may be a red herring, but have you verified that mail on the client 
system works outside of at/cron? What happens with "/bin/mail root" and 
"/bin/mail ldap_user"?

There was a fairly large change where they split the configuration into 
two files: /etc/mail/sendmail.cf and /etc/mail/submit.cf, and you need 
to make sure you put a valid null-client config in submit.cf for the 
client side...

I generate the submit.cf file with a .mc that looks like this:
--------------------------------------------------------------
divert(0)dnl
include(`/usr/share/sendmail-cf/m4/cf.m4')
VERSIONID(`linux setup for Red Hat Linux')dnl
define(`confCF_VERSION', `Submit')dnl
define(`__OSTYPE__',`')dnl dirty hack to keep proto.m4 from complaining
define(`confTIME_ZONE', `USE_TZ')dnl
define(`confPID_FILE', `/var/run/sm-client.pid')dnl
dnl define(`confDIRECT_SUBMISSION_MODIFIERS',`C')
MASQUERADE_AS(`my.domain.com')
FEATURE(`allmasquerade')
FEATURE(`msp', `[smtp.my.domain.com]')dnl
dnl FEATURE(`use_ct_file')dnl
--------------------------------------------------------------

Then put
DAEMON=no
QUEUE=1h
into /etc/sysconfig/sendmail (so it just runs to flush the queue in case 
  it ever fails to connect to the central SMTP server).

If the mail configuration is working fine on its own, the next place I'd 
look is at the LDAP config in /etc/pam.d/system-auth. The GUI-set 
defaults there often seem to cause problems. I changed mine to:

#%PAM-1.0
auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_ldap.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok 
use_first_pass
auth        required      /lib/security/$ISA/pam_deny.so

account     sufficient    /lib/security/$ISA/pam_ldap.so
account     required      /lib/security/$ISA/pam_unix.so

password    required      /lib/security/$ISA/pam_cracklib.so retry=3
password    sufficient    /lib/security/$ISA/pam_ldap.so use_authtok
password    sufficient    /lib/security/$ISA/pam_unix.so nullok 
use_authtok md5
shadow
password    required      /lib/security/$ISA/pam_deny.so

session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so
session     optional      /lib/security/$ISA/pam_ldap.so

More information about the fedora-list mailing list