at and cron vs. ldap
Bevan C. Bennett
bevan at fulcrummicro.com
Thu Jan 8 17:38:30 UTC 2004
Stephen Walton wrote:
> All good questions. MTA is dead simple though, as I'm not running a
> server; DS in sendmail.cf is used to define our campus SMTP master as a
> smart mail forwarder. I only see the problem behavior on our LDAP
> clients, though, not on our server, which seems an important clue.
> There is no output whatsoever in /var/log/maillog. I can't exclude an
> error in ldap.conf or pam.d/system-auth although they are the ones
> created by redhat-config-authentication pretty much.
This may be a red herring, but have you verified that mail on the client
system works outside of at/cron? What happens with "/bin/mail root" and
"/bin/mail ldap_user"?
There was a fairly large change where they split the configuration into
two files: /etc/mail/sendmail.cf and /etc/mail/submit.cf, and you need
to make sure you put a valid null-client config in submit.cf for the
client side...
I generate the submit.cf file with a .mc that looks like this:
--------------------------------------------------------------
divert(0)dnl
include(`/usr/share/sendmail-cf/m4/cf.m4')
VERSIONID(`linux setup for Red Hat Linux')dnl
define(`confCF_VERSION', `Submit')dnl
define(`__OSTYPE__',`')dnl dirty hack to keep proto.m4 from complaining
define(`confTIME_ZONE', `USE_TZ')dnl
define(`confPID_FILE', `/var/run/sm-client.pid')dnl
dnl define(`confDIRECT_SUBMISSION_MODIFIERS',`C')
MASQUERADE_AS(`my.domain.com')
FEATURE(`allmasquerade')
FEATURE(`msp', `[smtp.my.domain.com]')dnl
dnl FEATURE(`use_ct_file')dnl
--------------------------------------------------------------
Then put
DAEMON=no
QUEUE=1h
into /etc/sysconfig/sendmail (so it just runs to flush the queue in case
it ever fails to connect to the central SMTP server).
If the mail configuration is working fine on its own, the next place I'd
look is at the LDAP config in /etc/pam.d/system-auth. The GUI-set
defaults there often seem to cause problems. I changed mine to:
#%PAM-1.0
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_ldap.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
use_first_pass
auth required /lib/security/$ISA/pam_deny.so
account sufficient /lib/security/$ISA/pam_ldap.so
account required /lib/security/$ISA/pam_unix.so
password required /lib/security/$ISA/pam_cracklib.so retry=3
password sufficient /lib/security/$ISA/pam_ldap.so use_authtok
password sufficient /lib/security/$ISA/pam_unix.so nullok
use_authtok md5
shadow
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
session optional /lib/security/$ISA/pam_ldap.so
More information about the fedora-list
mailing list