From owner-freebsd-isp@FreeBSD.ORG Fri Jul 14 02:05:58 2006 Return-Path: X-Original-To: freebsd-isp@freebsd.org Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8ABB916A4DA for ; Fri, 14 Jul 2006 02:05:58 +0000 (UTC) (envelope-from kwoody@citytel.net) Received: from mail.citytel.net (mail.citytel.net [209.145.111.46]) by mx1.FreeBSD.org (Postfix) with ESMTP id 49C6443D49 for ; Fri, 14 Jul 2006 02:05:58 +0000 (GMT) (envelope-from kwoody@citytel.net) Received: from pop.citytel.net (pop.citytel.net [204.244.98.50]) by mail.citytel.net (Postfix) with ESMTP id 2C14467EBA; Thu, 13 Jul 2006 19:05:56 -0700 (PDT) Date: Thu, 13 Jul 2006 19:05:56 -0700 (PDT) From: Keith Woodworth To: "David J. Orman" In-Reply-To: Message-ID: <20060713183330.N59264@pop.citytel.net> References: <20060713160509.Y59264@pop.citytel.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: freebsd-isp@freebsd.org Subject: Re: Password file X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Jul 2006 02:05:58 -0000 On Thu, 13 Jul 2006, David J. Orman wrote: |->1 - SSH daemon changes in 4.11 would be my guess |->2 - Changed UID/GID for postfix user. You need to chown/chmod the spool directory/contents properly using the new postfix user account UID/GID |->3 - No idea. |-> |->Your best bet is going to be reinstall, it'll be much less painful IMO. Secondly, the way you are handling this, is bad. It may have worked for a long time, but it's not the correct way to go about this. |-> |->#1 - You should not allow root login via ssh. You should ssh as a normal user and su. This is for all cases, not just automated processes. Bad bad bad. |-> |->#2 - Although you didn't explain why, it *seems* as if you're copying the master.passwd file/rebuilding your pwdb to make sure user accounts are synched on the machines? If so - no comment, other then stop right now. In this kind of deployment, where you have multiple servers which need to have synchronized user accounts, you need to setup some kind of directory server (LDAP would be most common - OpenLDAP is a free LDAP server.) Then your servers can do authentication via the LDAP store. Virtual users in postfix can be handled the same way. Hi. For ssh, yes that is possible. I was going to do that for postfix, but as I had just recompiled it with pcre about 2 hrs before, I just did a make; make upgrade with postfix and its running again as all perms were good to begin with. As for not being able to ssh in as a user, I used rmuser to delete the user from the password file and added them back and now I can ssh into the server again with those user accounts. My only other issue now is named. I cant just go rmuser root and add root in again. Almost like the process's lost 'state' when I dicked with the passwd file. Dumbass idiot I am, I should know better... Hell, just a simple reboot might fix it...but I'm not ready to try that yet. I know its not a good idea for root logins, but it was one of those temporary things that we just kept around. It is only one server that does this and we have it so only one machine can login as root via wrappers and ACL's. And this is the way user accounts are sync'd between two servers. Not pretty I know and I know not the correct way. But at the time (over a year ago now) it was quick and easy to do. And now that I think about it, I had copied the passwd file first then installed all the other programs. All in all, we will be undergoing a large paradigm shift in the next 3 or 4 months and will need to go to an LDAP type system as we are integrating two very diseperate ISP's into one and will need something like that to make it all work. Thanks for the reply, it was appreciated. Keith