Willi Mann wrote:
> Will postfix/smtpd report anything useful to the secure logfile? If not,
> we should ignore it completely.
postfix/smtpd messages from auth.log (user/domain info obscured and ran
though sort | uniq -c | sort -n):
113 sql plugin create statement from cmusaslsecretCRAM-MD5 user
example.com
115 sql plugin create statement from userPassword user example.com
126 begin transaction
126 commit transaction
229 sql plugin Parse the username [EMAIL PROTECTED]
230 sql plugin doing query select password from mail_users where
username='[EMAIL PROTECTED]';
261 sql plugin try and connect to a host
261 sql plugin trying to open db 'dbname' on host '127.0.0.1'
2170 sql auxprop plugin using mysql engine
There seems to be no useful information from postfix/smtpd in auth.log.
>> or ( $ThisLine =~ /^nss-mysql\[\d+\]: _nss_mysql_getspnam_r conf file
>> parsing failed/ )
>> That is correct behaviour of libnss-mysql and caused by a non-root
>> process executing the equivalent of 'getent shadow'. Since this needs to
>> read a password column from the database the configuration file
>> containing the database password is readable by root only. (There is a
>> separate world readable configuration for passwd/group, but the database
>> password contained there should not allow access to the password
>> column).
>
> Why is this reported? Is it not possible to configure nss-mysql to not
> even try to parse that conffile? It looks to me as if this log message
> reports a (minor) misconfiguration. If it is possible to avoid that
> message, then it's OK to report it as Unmatched Entry (this is the
> statement from Bjorn L. from upstream)
I had libnss-mysql rebuilt with debugging enabled and checked the debug
output comparing it with the code - looking for my configuration error.
So I found out, that this message was not an error, but a "feature" - as
long as nss-mysql is working. But if nss_mysql is misconfigured, this
message would indicate an error, too.
This error message could only be fixed by hacking libnss-mysql.
Looking at libnss-mysql again, I found actually two projects (nss-mysql
(from which the Debian package libnss-mysql is made) and libnss-mysql
(Debian libnss-mysql-bg)) doing more or less the same thing. Perhaps
I'll try the other one some day.
Andreas
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
