Use mxshadow

[donald]

This PR is the actual switch of the shadow map from nis to mxshadow.

[donald]

Tested (amongst others) on our busiest login checker tldr for a few days. Imapd is using saslauthd. The saslauthd process and the mxshadowsrv process on wtf have been monitored for leaks. Also running in theinternet for weeks (which I use daily) and I think even on our powerpc system.

admin: See how this works at https://github.molgen.mpg.de/mariux64/mxshadow/blob/main/README.md

If anything goes wrong, the only way to log in would be as "root" with the password (because "root" is in /etc/shadow).

[donald]

Pre-activated on geniux.

[donald]

@thomas noticed, that the daily helpdesk reminder mails were no longer send. If fact, cronjobs for the cyrus user were no longer executed (and su cyrus also stopped working). This was not really caused by mxshadow, but by my misguided attempt to reduce the size of the shadow map by not including entries with invalid hashes in /package/nis/src/pre_passwd:

commit 71bdcd7fa13c332b8003dff452ad07a9fb8a7b29
Author: Donald Buczek <buczek@molgen.mpg.de>
Date:   Sat May 22 11:37:32 2021 +0200

    pre_passwd: Include only valid hashes in shadow
    
    When we create the shadow file, only include records with valid hashes.
    This currently reduced the number of entries from 4571 to 462 and the
    filesize from 119484 to 22049 bytes.

diff --git a/src/pre_passwd b/src/pre_passwd
index 7ec140bc5..6648fdc25 100755
--- a/src/pre_passwd
+++ b/src/pre_passwd
@@ -60,8 +60,9 @@ if ($map_type eq 'passwd.byname') {
        for my $login (sort keys %LOGIN) {
                my @F=split /:/,$REC[$LOGIN{$login}],-1;
                my $pw=$F[1];
-               $pw='---' if $pw =~ /^---/;     # O users have their (old) password hash prefixed with "---" to support undeluser.pl. No need to publish hash
-               printf "%s\n",join(':',$F[0],$pw,'','','','','','','');
+               if ($pw =~ /^\$\d\$/ || $pw =~ m"^[A-Za-z0-9\./]{13}$") {
+                       printf "%s\n",join(':',$F[0],$pw,'','','','','','','');
+               }
        }
 } else {
        die USAGE;

Now fixed by

commit 9d9e9b9c41aa54cf00fc2eab9e1a82324ace12bb (HEAD -> master)
Author: Donald Buczek <buczek@molgen.mpg.de>
Date:   Sat May 29 11:22:02 2021 +0200

    pre_passwd: Include invalid hashes in shadow
    
    Fixes: 71bdcd7fa13c ("pre_passwd: Include only valid hashes in shadow")
    
    Include users with invalid password hashes ("*LOCKED*", "x"). Otherwise
    pam_unix fails for these and authentication without password like su
    from root or cronjobs might fail.

diff --git a/src/pre_passwd b/src/pre_passwd
index 6648fdc25..f0348ecbc 100755
--- a/src/pre_passwd
+++ b/src/pre_passwd
@@ -58,11 +58,12 @@ if ($map_type eq 'passwd.byname') {
        }
 } elsif ($map_type eq 'shadow') {
        for my $login (sort keys %LOGIN) {
+               # exclude O- users but include users with invalid password hashes ("*LOCKED*", "x")
+               # otherwise pam_unix fails for these and authentication without password like su from root
+               # or cronjobs might fail.
+               next if $login =~ /^O/;               # exclude O-users. We need to include users with
                my @F=split /:/,$REC[$LOGIN{$login}],-1;
-               my $pw=$F[1];
-               if ($pw =~ /^\$\d\$/ || $pw =~ m"^[A-Za-z0-9\./]{13}$") {
-                       printf "%s\n",join(':',$F[0],$pw,'','','','','','','');
-               }
+               printf "%s\n",join(':',$F[0],$F[1],'','','','','','','');
        }
 } else {
        die USAGE;