NAME
nsswitch.conf - System Databases and Name Service Switch
configuration file
DESCRIPTION
Various functions in the C Library need to be configured to
work correctly in the local environment. Traditionally,
this was done by using files (e.g., `/etc/passwd'), but
other nameservices (like the Network Information Service
(NIS) and the Domain Name Service (DNS)) became popular, and
were hacked into the C library, usually with a fixed search
order.
The Linux libc5 with NYS support and the GNU C Library 2.x
(libc.so.6) contain a cleaner solution of this problem. It
is designed after a method used by Sun Microsystems in the C
library of Solaris 2. We follow their name and call this
scheme "Name Service Switch" (NSS). The sources for the
"databases" and their lookup order are specified in the
/etc/nsswitch.conf file.
The following databases are available in the NSS:
aliases
Mail aliases, used by sendmail(8)
ethers
Ethernet numbers
group
Groups of users, used by getgrent(3) functions.
hosts
Host names and numbers, used by gethostbyname(3) and
similar functions.
netgroup
Network wide list of hosts and users, used for access
rules
network
Network names and numbers, used by getnetent(3) func-
tions.
passwd
User passwords, used by getpwent(3) functions.
protocols
Network protocols, used by getprotoent(3) functions.
publickey
Public and secret keys for secure_rpc used by NIS+ and
NFS.
rpc Remote procedure call names and numbers, used by
getrpcbyname(3) and similar functions.
services
Network services, used by getservent(3) functions.
shadow
Shadow user passwords, used by getspnam(3)
An example /etc/nsswitch.conf file could be look like (This
is also the default if /etc/nsswitch.conf is missing):
9 passwd: compat
group: compat
shadow: compat
9 hosts: dns [!UNAVAIL=return] files
networks: nis [NOTFOUND=return] files
ethers: nis [NOTFOUND=return] files
protocols: nis [NOTFOUND=return] files
rpc: nis [NOTFOUND=return] files
services: nis [NOTFOUND=return] files
The first column is the database as you can guess from the
table above. The rest of the line specifies how the lookup
process works. You can specify the way it works for each
database individually.
The configuration specification for each database can con-
tain two different items:
* The service specification like `files', `db', or `nis'.
* The reaction on lookup result like `[NOTFOUND=return]'.
For libc5 with NYS, the allowed service specifications are
`files', `nis' and `nisplus'. For hosts, you could specify
`dns' as extra service, for passwd and group `compat', but
not for shadow.
For GNU C Library, you must have a file called
/lib/libnss_SERVICE.so.1 for every SERVICE you are using. On
a standard installation, you could use `files', `db', `nis'
and `nisplus'. For hosts, you could specify `dns' as extra
service, for passwd, group and shadow `compat'. This Ser-
vices will not be used by libc5 with NYS.
The second item in the specification gives the user much
finer control on the lookup process. Action items are
placed between two service names and are written within
brackets. The general form is
where
9 STATUS => success | notfound | unavail | tryagain
ACTION => return | continue
The case of the keywords is insignificant. The STATUS values
are the results of a call to a lookup function of a specific
service. They mean:
success
No error occurred and the wanted entry is returned. The
default action for this is `return'.
notfound
The lookup process works ok but the needed value was
not found. The default action is `continue'.
unavail
The service is permanently unavailable. This can
either mean the needed file is not available, or, for
DNS, the server is not available or does not allow
queries. The default action is `continue'.
tryagain
The service is temporarily unavailable. This could
mean a file is locked or a server currently cannot
accept more connections. The default action is `con-
tinue'.
Interaction with +/- syntax (compat mode)
Linux libc5 without NYS does not has the name service switch
but does allow the user some policy control. In /etc/passwd
you could have entries of the form +user or +@netgroup
(include the specified user from the NIS passwd map), -user
or -@netgroup (exclude the specified user) and + (include
every user, except the excluded ones, from the NIS passwd
map). Since most people only put a + at the end of
/etc/passwd to include everything from NIS, the switch pro-
vides a faster alternative for this case (`passwd: files
nis') which doesn't require the single + entry in
/etc/passwd, /etc/group and /etc/shadow. If this is not
sufficient, the NSS `compat' service provides full +/-
semantics. By default, the source is `nis', but this may be
overriden by specifying `nisplus' as source for the pseudo-
databases passwd_compat, group_compat and shadow_compat.
This pseudo-databases are only available in GNU C Library.
FILES
A service named SERVICE is implemented by a shared object
library named libnss_SERVICE.so.1 that resides in /lib.
9
C Library 2.x
/lib/libnss_db.so.1 implements `db' source for GNU C
Library 2.x
/lib/libnss_dns.so.1 implements `dns' source for GNU C
Library 2.x
/lib/libnss_files.so.1 implements `files' source for GNU C
Library 2.x
/lib/libnss_hesoid.so.1 implements `hesoid' source for GNU
C Library 2.x
/lib/libnss_nis.so.1 implements `nis' source for GNU C
Library 2.x
/lib/libnss_nisplus.so.1 implements `nisplus' source for GNU
C Library 2.x
NOTES
Within each process that uses nsswitch.conf, the entire file
is read only once; if the file is later changed, the process
will continue using the old configuration.
With Solaris, is isn't possible to link programs using the
NSS Service statically. With Linux, this is no problem.