nsswitch.conf bad configuration?
Jordi Espasa Clofent
jespasac at minibofh.org
Fri Aug 7 12:42:48 UTC 2009
Hi all,
I've a lot of servers (6.3,6.4, 7.1, 7.2...) login against centralized
LDAP account server. All works fine, but I can see in LDAP logs:
# cat /var/log/syslog | grep uid= | awk '{print $12}'
filter="(&(objectClass=posixAccount)(uid=mailer-daemon))"
filter="(&(objectClass=posixAccount)(uid=mailer-daemon))"
filter="(&(objectClass=posixAccount)(uid=mailer-daemon))"
filter="(&(objectClass=posixAccount)(uid=mailer-daemon))"
filter="(&(objectClass=posixAccount)(uid=nobody))"
filter="(&(objectClass=posixAccount)(uid=postfix))"
filter="(&(objectClass=posixAccount)(uid=postfix))"
filter="(&(objectClass=posixAccount)(uid=nobody))"
filter="(&(objectClass=posixAccount)(uid=postfix))"
filter="(&(objectClass=posixAccount)(uid=postfix))"
filter="(&(objectClass=posixAccount)(uid=nobody))"
filter="(&(objectClass=posixAccount)(uid=postfix))"
filter="(&(objectClass=posixAccount)(uid=postfix))"
filter="(&(objectClass=posixAccount)(uid=root))"
filter="(&(objectClass=posixAccount)(uid=nobody))"
filter="(&(objectClass=posixAccount)(uid=postfix))"
filter="(&(objectClass=posixAccount)(uid=postfix))"
filter="(&(objectClass=posixAccount)(uid=root))"
filter="(&(objectClass=posixAccount)(uid=postfix))"
filter="(&(objectClass=posixAccount)(uid=postfix))"
filter="(&(objectClass=posixAccount)(uid=xatlantax))"
filter="(&(objectClass=posixAccount)(uid=nobody))"
filter="(&(objectClass=posixAccount)(uid=postfix))"
filter="(&(objectClass=posixAccount)(uid=postfix))"
filter="(&(objectClass=posixAccount)(uid=root))"
filter="(&(objectClass=posixAccount)(uid=root))"
filter="(&(objectClass=posixAccount)(uid=root))"
filter="(&(objectClass=posixAccount)(uid=oscar))"
filter="(&(objectClass=posixGroup)(|(memberUid=oscar)(uniqueMember=uid=oscar,ou=cat,ou=tecnic,dc=mycompany,dc=com)))"
filter="(&(objectClass=posixAccount)(uid=root))"
filter="(&(objectClass=posixAccount)(uid=root))"
filter="(&(objectClass=posixAccount)(uid=root))"
filter="(&(objectClass=posixAccount)(uid=root))"
filter="(&(objectClass=posixAccount)(uid=bambinnos))"
filter="(&(objectClass=posixAccount)(uid=root))"
filter="(&(objectClass=posixAccount)(uid=root))"
filter="(&(objectClass=posixAccount)(uid=root))"
filter="(&(objectClass=posixAccount)(uid=root))"
filter="(&(objectClass=posixAccount)(uid=skateria))"
filter="(&(objectClass=posixAccount)(uid=verom_40))"
filter="(&(objectClass=posixAccount)(uid=iticlab))"
filter="(&(objectClass=posixAccount)(uid=root))"
filter="(&(objectClass=posixAccount)(uid=mailnull))"
filter="(&(objectClass=posixAccount)(uid=mailnull))"
filter="(&(objectClass=posixAccount)(uid=sendmail))"
filter="(&(objectClass=posixAccount)(uid=sendmail))"
filter="(&(objectClass=posixAccount)(uid=nobody))"
filter="(&(objectClass=posixAccount)(uid=postfix))"
filter="(&(objectClass=posixAccount)(uid=root))"
filter="(&(objectClass=posixAccount)(uid=root))"
filter="(&(objectClass=posixAccount)(uid=root))"
filter="(&(objectClass=posixAccount)(uid=root))"
filter="(&(objectClass=posixAccount)(uid=nobody))"
filter="(&(objectClass=posixAccount)(uid=postfix))"
filter="(&(objectClass=posixAccount)(uid=postfix))"
filter="(&(objectClass=posixAccount)(uid=nobody))"
filter="(&(objectClass=posixAccount)(uid=postfix))"
filter="(&(objectClass=posixAccount)(uid=cdmon))"
filter="(&(objectClass=posixAccount)(uid=nobody))"
filter="(&(objectClass=posixAccount)(uid=postfix))"
filter="(&(objectClass=posixAccount)(uid=postfix))"
filter="(&(objectClass=posixAccount)(uid=root))"
filter="(&(objectClass=posixAccount)(uid=root))"
filter="(&(objectClass=posixAccount)(uid=nobody))"
filter="(&(objectClass=posixAccount)(uid=postfix))"
filter="(&(objectClass=posixAccount)(uid=root))"
filter="(&(objectClass=posixAccount)(uid=root))"
filter="(&(objectClass=posixAccount)(uid=nobody))"
filter="(&(objectClass=posixAccount)(uid=postfix))"
filter="(&(objectClass=posixAccount)(uid=root))"
filter="(&(objectClass=posixAccount)(uid=root))"
filter="(&(objectClass=posixAccount)(uid=nobody))"
filter="(&(objectClass=posixAccount)(uid=postfix))"
filter="(&(objectClass=posixAccount)(uid=nobody))"
filter="(&(objectClass=posixAccount)(uid=postfix))"
filter="(&(objectClass=posixAccount)(uid=postfix))"
filter="(&(objectClass=posixAccount)(uid=nobody))"
filter="(&(objectClass=posixAccount)(uid=postfix))"
filter="(&(objectClass=posixAccount)(uid=root))"
filter="(&(objectClass=posixAccount)(uid=root))"
filter="(&(objectClass=posixAccount)(uid=postfix))"
filter="(&(objectClass=posixAccount)(uid=root))"
filter="(&(objectClass=posixAccount)(uid=cdmon))"
filter="(&(objectClass=posixAccount)(uid=paola))"
filter="(&(objectClass=posixAccount)(uid=root))"
filter="(&(objectClass=posixAccount)(uid=mailnull))"
filter="(&(objectClass=posixAccount)(uid=mailnull))"
filter="(&(objectClass=posixAccount)(uid=mailnull))"
filter="(&(objectClass=posixAccount)(uid=sendmail))"
filter="(&(objectClass=posixAccount)(uid=sendmail))"
filter="(&(objectClass=posixAccount)(uid=sendmail))"
filter="(&(objectClass=posixAccount)(uid=mailnull))"
filter="(&(objectClass=posixAccount)(uid=sendmail))"
filter="(&(objectClass=posixAccount)(uid=root))"
filter="(&(objectClass=posixAccount)(uid=root))"
filter="(&(objectClass=posixAccount)(uid=nobody))"
filter="(&(objectClass=posixAccount)(uid=postfix))"
filter="(&(objectClass=posixAccount)(uid=root))"
filter="(&(objectClass=posixAccount)(uid=postfix))"
You can see the difference between user 'oscar? (exists in LDAP ddbb)
and the others (doesn't exist in LDAP ddbb).
The main question is ¿why appears users 'postfix', 'root', 'paola',
'sendmail' or even 'devnull' in LDAP log if they doesn't exist in LDAP
database? Obviosly, they appears because there're query under this
UID/username.
I think the problem the /etc/nsswitch.conf of the servers (which are de
LDAP clients):
# cat /etc/nsswitch.conf
group: files ldap
passwd: files ldap
#group: compat
#group_compat: nis
#hosts: files dns
#networks: files
#passwd: compat
#passwd_compat: nis
#shells: files
#services: compat
#services_compat: nis
#protocols: files
#rpc: files
Maybe the commented lines do that the diferents users/daemons (like
postfix, nobody or mailer-daemon) always look at group and passwd
directives, which has files and ldap. So, they ask something in files
(/etc/passwd and /etc/groups) and de default nsswitch.conf behaviour is,
"I don't know, please ask for to the next source" and the query is
passed to ldap resource.
¿Is it enough to comment out all the fields in /etc/nsswitch.conf?
Feel free to point me out if isn't the right place for this kind of
question (openldap lists also isn't, so it's a SO-related question
rather than LDAP-related question).
--
Thanks,
Jordi Espasa Clofent
More information about the freebsd-stable
mailing list