Dear Managers,
Sorry for the delay in summarizing; extreme heat in the
eastern US combined with a building air conditioner failure took us
offline for several days. Two suggestions were received; neither
worked in my situation. I'll list them in case they help someone
else. At this point I think I'll have to remove and recreate the user
account.
Thanks to:
Saar Picker <saarp_at_uclink4.berkeley.edu>
Pavel Turcaj <pavel_at_cssip.edu.au>
>From Saar:
Shot in the dark here, but you wouldn't happen to be using APOP,
would you? When using APOP, you need to run the popauth command to
change passwords as well as the unix passwd command since qpopper
ends up storing it's own version of the encrypted passwords (APOP uses
a one-time password scheme).
>From Pavel:
if the user was logged to pop account while machine went down, the pop daemon
would have leaved lock file behind which will prevent access to the account in
question. It is usually file /var/spool/mail/.username (but could be changed
during compile time). All you have to do to fix the users access is to remove
the lock file.
Original post:
Dear Managers,
A colleague complained to me that he was unable to access his
mail today. He had tried Netscape, Pine, and MH. A quick check of
the system logs confirmed that the problem was an incorrect password
for both POP and IMAP access. He is able to log in via telnet,
however. Changing his password didn't help.
We run NIS with C2 security on Tru64-Unix v4.0Dp3. The pop
daemon is Qualcomm's qpopper v2.53 with the special_auth enabled.
IMAP is version 4.2 from U of Washington. The NIS server is also the
mail server (it does not allow telnet connections). Both daemons are
on a NFS-readonly-distributed /usr/local and are launched from
/etc/inetd.conf; the maildrops are on the NIS/mail server and are not
NFS-distributed. The protection/ownership of the maildrop is 600
owned by the colleague's userid.
A electrical storm passed through while the colleague was
accessing his mail yesterday. All the client stations crashed and
rebooted. The NIS master is on a UPS and it did not crash. The
current user load is light; it is quite possible my colleague was the
only user at the time. I haven't checked all the client station logs
to be sure, however.
I tried the following:
i) The password on a test (non-privileged) account was deliberately
changed and an e-mail message was sent to that account. A telnet
connection to an NIS client was successful with the new password.
Pine (run on the client) successfully retrieved the e-mail message
after logging into the NIS/mail server with the new password. A
telnet connection to the server on port 110 (the POP port) was
successfully authenticated (by issuing the POP USER and PASS commands)
with the new password. No other complaints have been received, so
apparently the problem only affects the single account.
ii) I checked that my colleague's password was current (in fact he had
changed it only 6 minutes before calling me) and that his account
wasn't expired.
iii) I changed the password for my colleague's account multiple times
from the root account. I checked each password change via a ordinary
telnet connection to a client (to test the NIS password) and a telnet
connection to the server on port 110. The NIS password changes were
all successful, but only one change affected POP. The user is still
stuck with that one password change I made as far as POP is concerned.
iv) I rebuilt the NIS prpasswd database in /var/yp/<domain name> from
scratch by moving the maps to backup files and doing a make from
/var/yp. This didn't help.
v) I looked at the Qualcomm qpopper source code. As far as I can
see, it just uses a call to getprpnam to check the password. I'm not
an expert, but I think that's the same mechanism NIS uses, so I'm at a
loss to explain why NIS works and POP fails.
Any suggestions?
Larry
============================================================================
Larry Griffith Dept. of Computer & Info Science
larry_at_cs.wsc.ma.edu Westfield State College
(413) 572-5294 Westfield, MA 01086 USA
PGP public key available at:
http://cs.wsc.ma.edu/dcis/griffith.html
============================================================================
Received on Thu Jul 08 1999 - 01:23:50 NZST