From kappa@capella.park.rambler.ru  Mon Oct 10 17:40:49 2005
Return-Path: <kappa@capella.park.rambler.ru>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id F1A3416A41F
	for <FreeBSD-gnats-submit@freebsd.org>; Mon, 10 Oct 2005 17:40:49 +0000 (GMT)
	(envelope-from kappa@capella.park.rambler.ru)
Received: from yam.park.rambler.ru (yam.park.rambler.ru [81.19.64.116])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 5FE4C43D45
	for <FreeBSD-gnats-submit@freebsd.org>; Mon, 10 Oct 2005 17:40:48 +0000 (GMT)
	(envelope-from kappa@capella.park.rambler.ru)
Received: from capella.park.rambler.ru (capella.park.rambler.ru [81.19.65.30])
	by yam.park.rambler.ru (8.13.3/8.13.3) with ESMTP id j9AHeldC059141
	for <FreeBSD-gnats-submit@freebsd.org>; Mon, 10 Oct 2005 21:40:47 +0400 (MSD)
	(envelope-from kappa@capella.park.rambler.ru)
Received: by capella.park.rambler.ru (Postfix, from userid 1001)
	id EEE54414F; Mon, 10 Oct 2005 21:41:32 +0400 (MSD)
Message-Id: <20051010174132.EEE54414F@capella.park.rambler.ru>
Date: Mon, 10 Oct 2005 21:41:32 +0400 (MSD)
From: Alex Kapranoff <alex@kapranoff.ru>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: cron(8) cannot send mail when world is build w/o NIS
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         87221
>Category:       bin
>Synopsis:       cron(8) cannot send mail when world is build w/o NIS
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    brooks
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Oct 10 17:50:15 GMT 2005
>Closed-Date:    Wed Jan 11 06:28:38 GMT 2006
>Last-Modified:  Wed Jan 11 06:28:38 GMT 2006
>Originator:     Alex Kapranoff
>Release:        FreeBSD 5.2-CURRENT i386
>Organization:
Inner Mongolia
>Environment:
FreeBSD capella.park.rambler.ru 5.2-CURRENT FreeBSD 5.2-CURRENT #0: Tue Jun 15 17:17:42 MSD 2004     root@capella.rambler.stack.net:/usr/obj/usr/src/sys/CAPELLA  i386

	
>Description:
cron(8) tries to send mail without specifying recipient.
It really seems to be bug in nsswitch mechanism because of these log
entries (from /var/log/cron):
Oct 10 21:30:00 capella cron[13567]: NSSWITCH(nss_method_lookup): nis, group_compat, setgrent, not found
Oct 10 21:30:00 capella cron[13567]: NSSWITCH(nss_method_lookup): nis, group_compat, endgrent, not found
Oct 10 21:30:00 capella cron[13567]: NSSWITCH(nss_method_lookup): nis, passwd_compat, endpwent, not found

I have 'NO_NIS=yes' in /etc/make.conf and default /etc/nsswitch.conf.

>How-To-Repeat:
Build a system without NIS, then try to cron a non-silent program.
Observe no mail (or negative delivery notofication).
>Fix:

	

>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->feedback 
State-Changed-By: bz 
State-Changed-When: Mon Oct 10 18:31:52 GMT 2005 
State-Changed-Why:  



Responsible-Changed-From-To: freebsd-bugs->bz 
Responsible-Changed-By: bz 
Responsible-Changed-When: Mon Oct 10 18:31:52 GMT 2005 
Responsible-Changed-Why:  
I committed NO_NIS so I will handle this. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=87221 

From: "Bjoern A. Zeeb" <bz@FreeBSD.org>
To: Alex Kapranoff <alex@kapranoff.ru>
Cc: Bug-followup@FreeBSD.org
Subject: Re: bin/87221: cron(8) cannot send mail when world is build w/o NIS
Date: Mon, 10 Oct 2005 18:35:15 +0000 (UTC)

 > I have 'NO_NIS=yes' in /etc/make.conf and default /etc/nsswitch.conf.
 
 does
 
 man 5 nsswitch.conf
 
 NOTES
      If system got compiled with NO_NIS you have to remove `nis' entries.
 
 help you? This is not done automagically because nsswitch.conf is
 created on the fly if not already there and any change would be
 too intrusive to support non-default configurations.

From: Alex Kapranoff <alex@kapranoff.ru>
To: "Bjoern A. Zeeb" <bz@FreeBSD.org>
Cc: Bug-followup@FreeBSD.org
Subject: Re: bin/87221: cron(8) cannot send mail when world is build w/o NIS
Date: Mon, 10 Oct 2005 23:42:20 +0400

 Bjoern A. Zeeb wrote:
 >>I have 'NO_NIS=yes' in /etc/make.conf and default /etc/nsswitch.conf.
 > 
 > does
 > 
 > man 5 nsswitch.conf
 > 
 > NOTES
 >      If system got compiled with NO_NIS you have to remove `nis' entries.
 > 
 > help you? This is not done automagically because nsswitch.conf is
 > created on the fly if not already there and any change would be
 > too intrusive to support non-default configurations.
 
 This, and the same in make.conf(5) and probably an item in UPDATING (too late?).
 
 It was really quite hard to track negative delivery notifications about not being able to 
 send a totally empty mails first to postfix (which does not return errors to cron), then 
 to cron, then to nsswitch.
 
 And why it fails in such a strange way? It would be very natural to just ignore 'nis' 
 entries in nsswitch.conf when NIS is not available, I suppose, so that default config 
 could work for (just about) everyone.
 
 What do you think?

From: "Bjoern A. Zeeb" <bz@FreeBSD.org>
To: Alex Kapranoff <alex@kapranoff.ru>
Cc: Bug-followup@FreeBSD.org
Subject: Re: bin/87221: cron(8) cannot send mail when world is build w/o NIS
Date: Mon, 10 Oct 2005 20:25:13 +0000 (UTC)

 > This, and the same in make.conf(5) and probably an item in UPDATING (too late?).
 
 it doesn't belong to make.conf and it didn't belong to UPDATING
 either (no default behavior was changed and that option hadn't
 existed in any working way before).
 
 It was discussed what to do with /etc/nsswitch.conf but considering
 the amount of hacks needed it was decided to only document that
 problem in nsswitch.conf(5) when the first person noticed that.
 
 
 > It was really quite hard to track negative delivery notifications about not being able to
 > send a totally empty mails first to postfix (which does not return errors to cron), then
 > to cron, then to nsswitch.
 
 I think general opinion is that when you change default configuration
 in such a way you are supposed to know what you are doing and you
 should have found warnings in the logs. For sure it would be better if
 things where 'just working' in all cases but no easy solution was
 found.
 
 You might also see warnings when loggin in in with ssh,etc. and
 using passwords.
 
 Does removing the nis entries solve your cron problem?
 
 
 > And why it fails in such a strange way? It would be very natural to just ignore 'nis'
 > entries in nsswitch.conf when NIS is not available, I suppose, so that default config
 > could work for (just about) everyone.
 >
 > What do you think?
 
 Having a short glance at the code it seems the same for HESIOD.
 It's not my code and I am not really familiar with it. I had only
 added the Makefile knobs.
 
 If you want to change the code I'd prefer to release the PR again
 to public so someone knowing that code can help you. Would that be
 ok?
 
 I'd also like to point you to
 	http://wikitest.freebsd.org/moin.cgi/MichaelBushkov
 where more nss related code got touched lately.
 
State-Changed-From-To: feedback->patched 
State-Changed-By: bz 
State-Changed-When: Wed Oct 12 19:06:56 GMT 2005 
State-Changed-Why:  
A comment has been committed to make.conf(5). 


Responsible-Changed-From-To: bz->brooks 
Responsible-Changed-By: bz 
Responsible-Changed-When: Wed Oct 12 19:06:56 GMT 2005 
Responsible-Changed-Why:  
Brooks will handle any further discussions about source code changes. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=87221 
State-Changed-From-To: patched->closed 
State-Changed-By: brooks 
State-Changed-When: Wed Jan 11 06:24:26 UTC 2006 
State-Changed-Why:  
I don't feel further changes are warranted because NO_NIS is 
non-standard and automatic workarounds in the area of authentication and 
authorization services are a generally a bad idea. 

If you're still unhappy with the state of affairs consider submitting a 
new PR requesting a nsswitch.conf sanity checker.  Such a feature would 
be useful and would pose less of a risk of automatically unsecuring a 
system. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=87221 
>Unformatted:
