Site Navigation

Date:      Fri, 07 Aug 2009 14:36:05 +0200
From:      Jordi Espasa Clofent <jespasac@minibofh.org>
To:        freebsd-stable@freebsd.org
Subject:   nsswitch.conf bad configuration?
Message-ID:  <4A7C1FB5.3000908@minibofh.org>

---

next in thread | raw e-mail | index | archive | help

---

Hi all,

I've a lot of servers (6.3,6.4, 7.1, 7.2...) login against centralized 
LDAP account server.  All works fine, but I can see in LDAP logs:

# cat /var/log/syslog | grep uid= | awk '{print $12}'
filter="(&(objectClass=posixAccount)(uid=mailer-daemon))"
filter="(&(objectClass=posixAccount)(uid=mailer-daemon))"
filter="(&(objectClass=posixAccount)(uid=mailer-daemon))"
filter="(&(objectClass=posixAccount)(uid=mailer-daemon))"
filter="(&(objectClass=posixAccount)(uid=nobody))"
filter="(&(objectClass=posixAccount)(uid=postfix))"
filter="(&(objectClass=posixAccount)(uid=postfix))"
filter="(&(objectClass=posixAccount)(uid=nobody))"
filter="(&(objectClass=posixAccount)(uid=postfix))"
filter="(&(objectClass=posixAccount)(uid=postfix))"
filter="(&(objectClass=posixAccount)(uid=nobody))"
filter="(&(objectClass=posixAccount)(uid=postfix))"
filter="(&(objectClass=posixAccount)(uid=postfix))"
filter="(&(objectClass=posixAccount)(uid=root))"
filter="(&(objectClass=posixAccount)(uid=nobody))"
filter="(&(objectClass=posixAccount)(uid=postfix))"
filter="(&(objectClass=posixAccount)(uid=postfix))"
filter="(&(objectClass=posixAccount)(uid=root))"
filter="(&(objectClass=posixAccount)(uid=postfix))"
filter="(&(objectClass=posixAccount)(uid=postfix))"
filter="(&(objectClass=posixAccount)(uid=xatlantax))"
filter="(&(objectClass=posixAccount)(uid=nobody))"
filter="(&(objectClass=posixAccount)(uid=postfix))"
filter="(&(objectClass=posixAccount)(uid=postfix))"
filter="(&(objectClass=posixAccount)(uid=root))"
filter="(&(objectClass=posixAccount)(uid=root))"
filter="(&(objectClass=posixAccount)(uid=root))"
filter="(&(objectClass=posixAccount)(uid=oscar))"
filter="(&(objectClass=posixGroup)(|(memberUid=oscar)(uniqueMember=uid=oscar,ou=cat,ou=tecnic,dc=mycompany,dc=com)))"
filter="(&(objectClass=posixAccount)(uid=root))"
filter="(&(objectClass=posixAccount)(uid=root))"
filter="(&(objectClass=posixAccount)(uid=root))"
filter="(&(objectClass=posixAccount)(uid=root))"
filter="(&(objectClass=posixAccount)(uid=bambinnos))"
filter="(&(objectClass=posixAccount)(uid=root))"
filter="(&(objectClass=posixAccount)(uid=root))"
filter="(&(objectClass=posixAccount)(uid=root))"
filter="(&(objectClass=posixAccount)(uid=root))"
filter="(&(objectClass=posixAccount)(uid=skateria))"
filter="(&(objectClass=posixAccount)(uid=verom_40))"
filter="(&(objectClass=posixAccount)(uid=iticlab))"
filter="(&(objectClass=posixAccount)(uid=root))"
filter="(&(objectClass=posixAccount)(uid=mailnull))"
filter="(&(objectClass=posixAccount)(uid=mailnull))"
filter="(&(objectClass=posixAccount)(uid=sendmail))"
filter="(&(objectClass=posixAccount)(uid=sendmail))"
filter="(&(objectClass=posixAccount)(uid=nobody))"
filter="(&(objectClass=posixAccount)(uid=postfix))"
filter="(&(objectClass=posixAccount)(uid=root))"
filter="(&(objectClass=posixAccount)(uid=root))"
filter="(&(objectClass=posixAccount)(uid=root))"
filter="(&(objectClass=posixAccount)(uid=root))"
filter="(&(objectClass=posixAccount)(uid=nobody))"
filter="(&(objectClass=posixAccount)(uid=postfix))"
filter="(&(objectClass=posixAccount)(uid=postfix))"
filter="(&(objectClass=posixAccount)(uid=nobody))"
filter="(&(objectClass=posixAccount)(uid=postfix))"
filter="(&(objectClass=posixAccount)(uid=cdmon))"
filter="(&(objectClass=posixAccount)(uid=nobody))"
filter="(&(objectClass=posixAccount)(uid=postfix))"
filter="(&(objectClass=posixAccount)(uid=postfix))"
filter="(&(objectClass=posixAccount)(uid=root))"
filter="(&(objectClass=posixAccount)(uid=root))"
filter="(&(objectClass=posixAccount)(uid=nobody))"
filter="(&(objectClass=posixAccount)(uid=postfix))"
filter="(&(objectClass=posixAccount)(uid=root))"
filter="(&(objectClass=posixAccount)(uid=root))"
filter="(&(objectClass=posixAccount)(uid=nobody))"
filter="(&(objectClass=posixAccount)(uid=postfix))"
filter="(&(objectClass=posixAccount)(uid=root))"
filter="(&(objectClass=posixAccount)(uid=root))"
filter="(&(objectClass=posixAccount)(uid=nobody))"
filter="(&(objectClass=posixAccount)(uid=postfix))"
filter="(&(objectClass=posixAccount)(uid=nobody))"
filter="(&(objectClass=posixAccount)(uid=postfix))"
filter="(&(objectClass=posixAccount)(uid=postfix))"
filter="(&(objectClass=posixAccount)(uid=nobody))"
filter="(&(objectClass=posixAccount)(uid=postfix))"
filter="(&(objectClass=posixAccount)(uid=root))"
filter="(&(objectClass=posixAccount)(uid=root))"
filter="(&(objectClass=posixAccount)(uid=postfix))"
filter="(&(objectClass=posixAccount)(uid=root))"
filter="(&(objectClass=posixAccount)(uid=cdmon))"
filter="(&(objectClass=posixAccount)(uid=paola))"
filter="(&(objectClass=posixAccount)(uid=root))"
filter="(&(objectClass=posixAccount)(uid=mailnull))"
filter="(&(objectClass=posixAccount)(uid=mailnull))"
filter="(&(objectClass=posixAccount)(uid=mailnull))"
filter="(&(objectClass=posixAccount)(uid=sendmail))"
filter="(&(objectClass=posixAccount)(uid=sendmail))"
filter="(&(objectClass=posixAccount)(uid=sendmail))"
filter="(&(objectClass=posixAccount)(uid=mailnull))"
filter="(&(objectClass=posixAccount)(uid=sendmail))"
filter="(&(objectClass=posixAccount)(uid=root))"
filter="(&(objectClass=posixAccount)(uid=root))"
filter="(&(objectClass=posixAccount)(uid=nobody))"
filter="(&(objectClass=posixAccount)(uid=postfix))"
filter="(&(objectClass=posixAccount)(uid=root))"
filter="(&(objectClass=posixAccount)(uid=postfix))"

You can see the difference between user 'oscar? (exists in LDAP ddbb) 
and the others (doesn't exist in LDAP ddbb).

The main question is ¿why appears users 'postfix', 'root', 'paola', 
'sendmail' or even 'devnull' in LDAP log if they doesn't exist in LDAP 
database? Obviosly, they appears because there're query under this 
UID/username.

I think the problem the /etc/nsswitch.conf of the servers (which are de 
LDAP clients):

# cat /etc/nsswitch.conf

group:  files ldap
passwd: files ldap
#group: compat
#group_compat: nis
#hosts: files dns
#networks: files
#passwd: compat
#passwd_compat: nis
#shells: files
#services: compat
#services_compat: nis
#protocols: files
#rpc: files

Maybe the commented lines do that the diferents users/daemons (like 
postfix, nobody or mailer-daemon) always look at group and passwd 
directives, which has files and ldap. So, they ask something in files 
(/etc/passwd and /etc/groups) and de default nsswitch.conf behaviour is, 
"I don't know, please ask for to the next source" and the query is 
passed to ldap resource.

¿Is it enough to comment out all the fields in /etc/nsswitch.conf?

Feel free to point me out if isn't the right place for this kind of 
question (openldap lists also isn't, so it's a SO-related question 
rather than LDAP-related question).

-- 
Thanks,
Jordi Espasa Clofent

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4A7C1FB5.3000908>

Legal Notices | © 1995-2024 The FreeBSD Project. All rights reserved.

Contact