thr3ads.net - freebsd stable - nsswitch.conf bad configuration? [Aug 2009]

If this information is useful, please help other people find it:
Share via:

Jordi Espasa Clofent

2009-Aug-07 12:42 UTC

nsswitch.conf bad configuration?

Hi all,

I've a lot of servers (6.3,6.4, 7.1, 7.2...) login against centralized 
LDAP account server.  All works fine, but I can see in LDAP logs:

# cat /var/log/syslog | grep uid= | awk '{print $12}'
filter="(&(objectClass=posixAccount)(uid=mailer-daemon))"
filter="(&(objectClass=posixAccount)(uid=mailer-daemon))"
filter="(&(objectClass=posixAccount)(uid=mailer-daemon))"
filter="(&(objectClass=posixAccount)(uid=mailer-daemon))"
filter="(&(objectClass=posixAccount)(uid=nobody))"
filter="(&(objectClass=posixAccount)(uid=postfix))"
filter="(&(objectClass=posixAccount)(uid=postfix))"
filter="(&(objectClass=posixAccount)(uid=nobody))"
filter="(&(objectClass=posixAccount)(uid=postfix))"
filter="(&(objectClass=posixAccount)(uid=postfix))"
filter="(&(objectClass=posixAccount)(uid=nobody))"
filter="(&(objectClass=posixAccount)(uid=postfix))"
filter="(&(objectClass=posixAccount)(uid=postfix))"
filter="(&(objectClass=posixAccount)(uid=root))"
filter="(&(objectClass=posixAccount)(uid=nobody))"
filter="(&(objectClass=posixAccount)(uid=postfix))"
filter="(&(objectClass=posixAccount)(uid=postfix))"
filter="(&(objectClass=posixAccount)(uid=root))"
filter="(&(objectClass=posixAccount)(uid=postfix))"
filter="(&(objectClass=posixAccount)(uid=postfix))"
filter="(&(objectClass=posixAccount)(uid=xatlantax))"
filter="(&(objectClass=posixAccount)(uid=nobody))"
filter="(&(objectClass=posixAccount)(uid=postfix))"
filter="(&(objectClass=posixAccount)(uid=postfix))"
filter="(&(objectClass=posixAccount)(uid=root))"
filter="(&(objectClass=posixAccount)(uid=root))"
filter="(&(objectClass=posixAccount)(uid=root))"
filter="(&(objectClass=posixAccount)(uid=oscar))"
filter="(&(objectClass=posixGroup)(|(memberUid=oscar)(uniqueMember=uid=oscar,ou=cat,ou=tecnic,dc=mycompany,dc=com)))"
filter="(&(objectClass=posixAccount)(uid=root))"
filter="(&(objectClass=posixAccount)(uid=root))"
filter="(&(objectClass=posixAccount)(uid=root))"
filter="(&(objectClass=posixAccount)(uid=root))"
filter="(&(objectClass=posixAccount)(uid=bambinnos))"
filter="(&(objectClass=posixAccount)(uid=root))"
filter="(&(objectClass=posixAccount)(uid=root))"
filter="(&(objectClass=posixAccount)(uid=root))"
filter="(&(objectClass=posixAccount)(uid=root))"
filter="(&(objectClass=posixAccount)(uid=skateria))"
filter="(&(objectClass=posixAccount)(uid=verom_40))"
filter="(&(objectClass=posixAccount)(uid=iticlab))"
filter="(&(objectClass=posixAccount)(uid=root))"
filter="(&(objectClass=posixAccount)(uid=mailnull))"
filter="(&(objectClass=posixAccount)(uid=mailnull))"
filter="(&(objectClass=posixAccount)(uid=sendmail))"
filter="(&(objectClass=posixAccount)(uid=sendmail))"
filter="(&(objectClass=posixAccount)(uid=nobody))"
filter="(&(objectClass=posixAccount)(uid=postfix))"
filter="(&(objectClass=posixAccount)(uid=root))"
filter="(&(objectClass=posixAccount)(uid=root))"
filter="(&(objectClass=posixAccount)(uid=root))"
filter="(&(objectClass=posixAccount)(uid=root))"
filter="(&(objectClass=posixAccount)(uid=nobody))"
filter="(&(objectClass=posixAccount)(uid=postfix))"
filter="(&(objectClass=posixAccount)(uid=postfix))"
filter="(&(objectClass=posixAccount)(uid=nobody))"
filter="(&(objectClass=posixAccount)(uid=postfix))"
filter="(&(objectClass=posixAccount)(uid=cdmon))"
filter="(&(objectClass=posixAccount)(uid=nobody))"
filter="(&(objectClass=posixAccount)(uid=postfix))"
filter="(&(objectClass=posixAccount)(uid=postfix))"
filter="(&(objectClass=posixAccount)(uid=root))"
filter="(&(objectClass=posixAccount)(uid=root))"
filter="(&(objectClass=posixAccount)(uid=nobody))"
filter="(&(objectClass=posixAccount)(uid=postfix))"
filter="(&(objectClass=posixAccount)(uid=root))"
filter="(&(objectClass=posixAccount)(uid=root))"
filter="(&(objectClass=posixAccount)(uid=nobody))"
filter="(&(objectClass=posixAccount)(uid=postfix))"
filter="(&(objectClass=posixAccount)(uid=root))"
filter="(&(objectClass=posixAccount)(uid=root))"
filter="(&(objectClass=posixAccount)(uid=nobody))"
filter="(&(objectClass=posixAccount)(uid=postfix))"
filter="(&(objectClass=posixAccount)(uid=nobody))"
filter="(&(objectClass=posixAccount)(uid=postfix))"
filter="(&(objectClass=posixAccount)(uid=postfix))"
filter="(&(objectClass=posixAccount)(uid=nobody))"
filter="(&(objectClass=posixAccount)(uid=postfix))"
filter="(&(objectClass=posixAccount)(uid=root))"
filter="(&(objectClass=posixAccount)(uid=root))"
filter="(&(objectClass=posixAccount)(uid=postfix))"
filter="(&(objectClass=posixAccount)(uid=root))"
filter="(&(objectClass=posixAccount)(uid=cdmon))"
filter="(&(objectClass=posixAccount)(uid=paola))"
filter="(&(objectClass=posixAccount)(uid=root))"
filter="(&(objectClass=posixAccount)(uid=mailnull))"
filter="(&(objectClass=posixAccount)(uid=mailnull))"
filter="(&(objectClass=posixAccount)(uid=mailnull))"
filter="(&(objectClass=posixAccount)(uid=sendmail))"
filter="(&(objectClass=posixAccount)(uid=sendmail))"
filter="(&(objectClass=posixAccount)(uid=sendmail))"
filter="(&(objectClass=posixAccount)(uid=mailnull))"
filter="(&(objectClass=posixAccount)(uid=sendmail))"
filter="(&(objectClass=posixAccount)(uid=root))"
filter="(&(objectClass=posixAccount)(uid=root))"
filter="(&(objectClass=posixAccount)(uid=nobody))"
filter="(&(objectClass=posixAccount)(uid=postfix))"
filter="(&(objectClass=posixAccount)(uid=root))"
filter="(&(objectClass=posixAccount)(uid=postfix))"

You can see the difference between user 'oscar? (exists in LDAP ddbb) 
and the others (doesn't exist in LDAP ddbb).

The main question is ?why appears users 'postfix', 'root',
'paola',
'sendmail' or even 'devnull' in LDAP log if they doesn't
exist in LDAP
database? Obviosly, they appears because there're query under this 
UID/username.

I think the problem the /etc/nsswitch.conf of the servers (which are de 
LDAP clients):

# cat /etc/nsswitch.conf

group:  files ldap
passwd: files ldap
#group: compat
#group_compat: nis
#hosts: files dns
#networks: files
#passwd: compat
#passwd_compat: nis
#shells: files
#services: compat
#services_compat: nis
#protocols: files
#rpc: files

Maybe the commented lines do that the diferents users/daemons (like 
postfix, nobody or mailer-daemon) always look at group and passwd 
directives, which has files and ldap. So, they ask something in files 
(/etc/passwd and /etc/groups) and de default nsswitch.conf behaviour is, 
"I don't know, please ask for to the next source" and the query is
passed to ldap resource.

?Is it enough to comment out all the fields in /etc/nsswitch.conf?

Feel free to point me out if isn't the right place for this kind of 
question (openldap lists also isn't, so it's a SO-related question 
rather than LDAP-related question).

-- 
Thanks,
Jordi Espasa Clofent

Dan Nelson

2009-Aug-07 14:46 UTC

head link

nsswitch.conf bad configuration?

In the last episode (Aug 07), Jordi Espasa Clofent said:> Hi all,
> 
> I've a lot of servers (6.3,6.4, 7.1, 7.2...) login against centralized 
> LDAP account server.  All works fine, but I can see in LDAP logs:
> 
> # cat /var/log/syslog | grep uid= | awk '{print $12}'
[...]> filter="(&(objectClass=posixAccount)(uid=root))"
> filter="(&(objectClass=posixAccount)(uid=oscar))"
>
filter="(&(objectClass=posixGroup)(|(memberUid=oscar)(uniqueMember=uid=oscar,ou=cat,ou=tecnic,dc=mycompany,dc=com)))"
> filter="(&(objectClass=posixAccount)(uid=root))"
> filter="(&(objectClass=posixAccount)(uid=root))"
> 
> You can see the difference between user 'oscar? (exists in LDAP ddbb)
and
> the others (doesn't exist in LDAP ddbb).
> 
> The main question is ?why appears users 'postfix', 'root',
'paola',
> 'sendmail' or even 'devnull' in LDAP log if they
doesn't exist in LDAP
> database?  Obviosly, they appears because there're query under this
> UID/username.
> 
> Maybe the commented lines do that the diferents users/daemons (like
> postfix, nobody or mailer-daemon) always look at group and passwd
> directives, which has files and ldap.  So, they ask something in files
> (/etc/passwd and /etc/groups) and de default nsswitch.conf behaviour is,
> "I don't know, please ask for to the next source" and the
query is passed
> to ldap resource.
nsswitch is probably checking LDAP for group memberships.  You can see that
for the "oscar" user that is in LDAP, the posixAccount query is
immediately
followed by a query looking up all groups that the user is a member of. 
This lets you add local users to groups that exist only in LDAP, by creating
a shadow user in LDAP with the same name and adding it to groups.

If you're worried about overloading your ldap server with queries for
nonexistant users (which is unlikely), you can enable nscd which will cache
negative responses for 60 seconds (see the nscd and nscd.conf manpages).

-- 
	Dan Nelson
	dnelson@allantgroup.com

freebsd stable - Aug 2009 - nsswitch.conf bad configuration?

nsswitch.conf bad configuration?

nsswitch.conf bad configuration?