From owner-freebsd-stable@FreeBSD.ORG Fri Aug 7 12:42:48 2009 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 835D5106564A for ; Fri, 7 Aug 2009 12:42:48 +0000 (UTC) (envelope-from jespasac@minibofh.org) Received: from smtp02.cdmon.com (smtp02.srv.cat [212.36.74.229]) by mx1.freebsd.org (Postfix) with ESMTP id E9B008FC33 for ; Fri, 7 Aug 2009 12:42:47 +0000 (UTC) Received: from jespasac.cdmon.com (249.Red-88-2-209.staticIP.rima-tde.net [88.2.209.249]) by smtp02.cdmon.com (Postfix) with ESMTP id BD82645CAB for ; Fri, 7 Aug 2009 14:36:30 +0200 (CEST) Message-ID: <4A7C1FB5.3000908@minibofh.org> Date: Fri, 07 Aug 2009 14:36:05 +0200 From: Jordi Espasa Clofent User-Agent: Thunderbird 2.0.0.19 (X11/20090107) MIME-Version: 1.0 To: freebsd-stable@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Subject: nsswitch.conf bad configuration? X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 Aug 2009 12:42:48 -0000 Hi all, I've a lot of servers (6.3,6.4, 7.1, 7.2...) login against centralized LDAP account server. All works fine, but I can see in LDAP logs: # cat /var/log/syslog | grep uid= | awk '{print $12}' filter="(&(objectClass=posixAccount)(uid=mailer-daemon))" filter="(&(objectClass=posixAccount)(uid=mailer-daemon))" filter="(&(objectClass=posixAccount)(uid=mailer-daemon))" filter="(&(objectClass=posixAccount)(uid=mailer-daemon))" filter="(&(objectClass=posixAccount)(uid=nobody))" filter="(&(objectClass=posixAccount)(uid=postfix))" filter="(&(objectClass=posixAccount)(uid=postfix))" filter="(&(objectClass=posixAccount)(uid=nobody))" filter="(&(objectClass=posixAccount)(uid=postfix))" filter="(&(objectClass=posixAccount)(uid=postfix))" filter="(&(objectClass=posixAccount)(uid=nobody))" filter="(&(objectClass=posixAccount)(uid=postfix))" filter="(&(objectClass=posixAccount)(uid=postfix))" filter="(&(objectClass=posixAccount)(uid=root))" filter="(&(objectClass=posixAccount)(uid=nobody))" filter="(&(objectClass=posixAccount)(uid=postfix))" filter="(&(objectClass=posixAccount)(uid=postfix))" filter="(&(objectClass=posixAccount)(uid=root))" filter="(&(objectClass=posixAccount)(uid=postfix))" filter="(&(objectClass=posixAccount)(uid=postfix))" filter="(&(objectClass=posixAccount)(uid=xatlantax))" filter="(&(objectClass=posixAccount)(uid=nobody))" filter="(&(objectClass=posixAccount)(uid=postfix))" filter="(&(objectClass=posixAccount)(uid=postfix))" filter="(&(objectClass=posixAccount)(uid=root))" filter="(&(objectClass=posixAccount)(uid=root))" filter="(&(objectClass=posixAccount)(uid=root))" filter="(&(objectClass=posixAccount)(uid=oscar))" filter="(&(objectClass=posixGroup)(|(memberUid=oscar)(uniqueMember=uid=oscar,ou=cat,ou=tecnic,dc=mycompany,dc=com)))" filter="(&(objectClass=posixAccount)(uid=root))" filter="(&(objectClass=posixAccount)(uid=root))" filter="(&(objectClass=posixAccount)(uid=root))" filter="(&(objectClass=posixAccount)(uid=root))" filter="(&(objectClass=posixAccount)(uid=bambinnos))" filter="(&(objectClass=posixAccount)(uid=root))" filter="(&(objectClass=posixAccount)(uid=root))" filter="(&(objectClass=posixAccount)(uid=root))" filter="(&(objectClass=posixAccount)(uid=root))" filter="(&(objectClass=posixAccount)(uid=skateria))" filter="(&(objectClass=posixAccount)(uid=verom_40))" filter="(&(objectClass=posixAccount)(uid=iticlab))" filter="(&(objectClass=posixAccount)(uid=root))" filter="(&(objectClass=posixAccount)(uid=mailnull))" filter="(&(objectClass=posixAccount)(uid=mailnull))" filter="(&(objectClass=posixAccount)(uid=sendmail))" filter="(&(objectClass=posixAccount)(uid=sendmail))" filter="(&(objectClass=posixAccount)(uid=nobody))" filter="(&(objectClass=posixAccount)(uid=postfix))" filter="(&(objectClass=posixAccount)(uid=root))" filter="(&(objectClass=posixAccount)(uid=root))" filter="(&(objectClass=posixAccount)(uid=root))" filter="(&(objectClass=posixAccount)(uid=root))" filter="(&(objectClass=posixAccount)(uid=nobody))" filter="(&(objectClass=posixAccount)(uid=postfix))" filter="(&(objectClass=posixAccount)(uid=postfix))" filter="(&(objectClass=posixAccount)(uid=nobody))" filter="(&(objectClass=posixAccount)(uid=postfix))" filter="(&(objectClass=posixAccount)(uid=cdmon))" filter="(&(objectClass=posixAccount)(uid=nobody))" filter="(&(objectClass=posixAccount)(uid=postfix))" filter="(&(objectClass=posixAccount)(uid=postfix))" filter="(&(objectClass=posixAccount)(uid=root))" filter="(&(objectClass=posixAccount)(uid=root))" filter="(&(objectClass=posixAccount)(uid=nobody))" filter="(&(objectClass=posixAccount)(uid=postfix))" filter="(&(objectClass=posixAccount)(uid=root))" filter="(&(objectClass=posixAccount)(uid=root))" filter="(&(objectClass=posixAccount)(uid=nobody))" filter="(&(objectClass=posixAccount)(uid=postfix))" filter="(&(objectClass=posixAccount)(uid=root))" filter="(&(objectClass=posixAccount)(uid=root))" filter="(&(objectClass=posixAccount)(uid=nobody))" filter="(&(objectClass=posixAccount)(uid=postfix))" filter="(&(objectClass=posixAccount)(uid=nobody))" filter="(&(objectClass=posixAccount)(uid=postfix))" filter="(&(objectClass=posixAccount)(uid=postfix))" filter="(&(objectClass=posixAccount)(uid=nobody))" filter="(&(objectClass=posixAccount)(uid=postfix))" filter="(&(objectClass=posixAccount)(uid=root))" filter="(&(objectClass=posixAccount)(uid=root))" filter="(&(objectClass=posixAccount)(uid=postfix))" filter="(&(objectClass=posixAccount)(uid=root))" filter="(&(objectClass=posixAccount)(uid=cdmon))" filter="(&(objectClass=posixAccount)(uid=paola))" filter="(&(objectClass=posixAccount)(uid=root))" filter="(&(objectClass=posixAccount)(uid=mailnull))" filter="(&(objectClass=posixAccount)(uid=mailnull))" filter="(&(objectClass=posixAccount)(uid=mailnull))" filter="(&(objectClass=posixAccount)(uid=sendmail))" filter="(&(objectClass=posixAccount)(uid=sendmail))" filter="(&(objectClass=posixAccount)(uid=sendmail))" filter="(&(objectClass=posixAccount)(uid=mailnull))" filter="(&(objectClass=posixAccount)(uid=sendmail))" filter="(&(objectClass=posixAccount)(uid=root))" filter="(&(objectClass=posixAccount)(uid=root))" filter="(&(objectClass=posixAccount)(uid=nobody))" filter="(&(objectClass=posixAccount)(uid=postfix))" filter="(&(objectClass=posixAccount)(uid=root))" filter="(&(objectClass=posixAccount)(uid=postfix))" You can see the difference between user 'oscar? (exists in LDAP ddbb) and the others (doesn't exist in LDAP ddbb). The main question is ¿why appears users 'postfix', 'root', 'paola', 'sendmail' or even 'devnull' in LDAP log if they doesn't exist in LDAP database? Obviosly, they appears because there're query under this UID/username. I think the problem the /etc/nsswitch.conf of the servers (which are de LDAP clients): # cat /etc/nsswitch.conf group: files ldap passwd: files ldap #group: compat #group_compat: nis #hosts: files dns #networks: files #passwd: compat #passwd_compat: nis #shells: files #services: compat #services_compat: nis #protocols: files #rpc: files Maybe the commented lines do that the diferents users/daemons (like postfix, nobody or mailer-daemon) always look at group and passwd directives, which has files and ldap. So, they ask something in files (/etc/passwd and /etc/groups) and de default nsswitch.conf behaviour is, "I don't know, please ask for to the next source" and the query is passed to ldap resource. ¿Is it enough to comment out all the fields in /etc/nsswitch.conf? Feel free to point me out if isn't the right place for this kind of question (openldap lists also isn't, so it's a SO-related question rather than LDAP-related question). -- Thanks, Jordi Espasa Clofent