1NSSWITCH.CONF(5) Linux Programmer's Manual NSSWITCH.CONF(5)
2
6 nsswitch.conf - System Databases and Name Service Switch configuration
7 file
8
10 Various functions in the C Library need to be configured to work cor‐
11 rectly in the local environment. Traditionally, this was done by using
12 files (e.g., /etc/passwd), but other nameservices (like the Network
13 Information Service (NIS) and the Domain Name Service (DNS)) became
14 popular, and were hacked into the C library, usually with a fixed
15 search order.
16 The Linux libc5 with NYS support and the GNU C Library 2.x (libc.so.6)
18 contain a cleaner solution of this problem. It is designed after a
19 method used by Sun Microsystems in the C library of Solaris 2. We fol‐
20 low their name and call this scheme "Name Service Switch" (NSS). The
21 sources for the "databases" and their lookup order are specified in the
22 /etc/nsswitch.conf file.
23 The following databases are available in the NSS:
25 aliases
27 Mail aliases, provides a system-wide mechanism to redirect mail
28 for local recipients. Used by mail transfer agents such as Post‐
29 fix or sendmail(8). Note: On Linux, not like on other Unices,
30 Sendmail uses its own aliases resolution system independent on
31 `/etc/nsswitch.conf'.
32 ethers Ethernet numbers.
34 group Groups of users, used by getgrent(3) functions.
36 hosts Host names and numbers, used by gethostbyname(3) and similar
38 functions.
39 netgroup
41 Network wide list of hosts and users, used for access rules. C
42 libraries before glibc 2.1 only support netgroups over NIS.
43 networks
45 Network names and numbers, used by getnetent(3) functions.
46 passwd User passwords, used by getpwent(3) functions.
48 protocols
50 Network protocols, used by getprotoent(3) functions.
51 publickey
53 Public and secret keys for Secure_RPC used by NFS and NIS+.
54 rpc Remote procedure call names and numbers, used by getrpcbyname(3)
56 and similar functions.
57 services
59 Network services, used by getservent(3) functions.
60 shadow Shadow user passwords, used by getspnam(3).
62 An example /etc/nsswitch.conf (namely, the default used when /etc/nss‐
64 witch.conf is missing):
65 passwd: compat
67 group: compat
68 shadow: compat
69 hosts: dns [!UNAVAIL=return] files
71 networks: nis [NOTFOUND=return] files
72 ethers: nis [NOTFOUND=return] files
73 protocols: nis [NOTFOUND=return] files
74 rpc: nis [NOTFOUND=return] files
75 services: nis [NOTFOUND=return] files
76 The first column is the database. The rest of the line specifies how
78 the lookup process works. You can specify the way it works for each
79 database individually.
80 The configuration specification for each database can contain two dif‐
82 ferent items:
83 * The service specification like `files', `db', or `nis'.
84 * The reaction on lookup result like `[NOTFOUND=return]'.
85 For libc5 with NYS, the allowed service specifications are `files',
87 `nis', and `nisplus'. For hosts, you could specify `dns' as extra ser‐
88 vice, for passwd and group `compat', but not for shadow.
89 For glibc, you must have a file called /lib/libnss_SERVICE.so.X for
91 every SERVICE you are using. On a standard installation, you could use
92 `files', `db', `nis', and `nisplus'. For hosts, you could specify
93 `dns' as extra service, for passwd, group, and shadow `compat'. These
94 services will not be used by libc5 with NYS. The version number X is 1
95 for glibc 2.0 and 2 for glibc 2.1.
96 If System Security Services Daemon (SSSD) is installed on your system,
98 you can use this service with the `sss' keyword. SSSD supports the
99 following databases: passwd, group, services and netgroup.
100 The second item in the specification gives the user much finer control
102 on the lookup process. Action items are placed between two service
103 names and are written within brackets. The general form is
104 `[' ( `!'? STATUS `=' ACTION )+ `]'
106 where
108 STATUS => success | notfound | unavail | tryagain
110 ACTION => return | continue
111 The case of the keywords is insignificant. The STATUS values are the
113 results of a call to a lookup function of a specific service. They
114 mean:
115 success
117 No error occurred and the wanted entry is returned. The default
118 action for this is `return'.
119 notfound
121 The lookup process works ok but the needed value was not found.
122 The default action is `continue'. However, if the selected
123 action for the `group' database is `return', the next lookup
124 function is always called, without affecting the search result.
125 unavail
127 The service is permanently unavailable. This can either mean
128 the needed file is not available, or, for DNS, the server is not
129 available or does not allow queries. The default action is
130 `continue'.
131 tryagain
133 The service is temporarily unavailable. This could mean a file
134 is locked or a server currently cannot accept more connections.
135 The default action is `continue'.
136 Interaction with +/- syntax (compat mode)
138 Linux libc5 without NYS does not have the name service switch but does
139 allow the user some policy control. In /etc/passwd you could have
140 entries of the form +user or +@netgroup (include the specified user
141 from the NIS passwd map), -user or -@netgroup (exclude the specified
142 user), and + (include every user, except the excluded ones, from the
143 NIS passwd map). Since most people only put a + at the end of
144 /etc/passwd to include everything from NIS, the switch provides a
145 faster alternative for this case (`passwd: files nis') which doesn't
146 require the single + entry in /etc/passwd, /etc/group, and /etc/shadow.
147 If this is not sufficient, the NSS `compat' service provides full +/-
148 semantics. By default, the source is `nis', but this may be overridden
149 by specifying `nisplus' as source for the pseudo-databases passwd_com‐
150 pat, group_compat and shadow_compat. These pseudo-databases are only
151 available in GNU C Library.
152
154 A service named SERVICE is implemented by a shared object library named
155 libnss_SERVICE.so.X that resides in /lib.
156 /etc/nsswitch.conf configuration file
158 /lib/libnss_compat.so.X implements `compat' source for glibc2
159 /lib/libnss_db.so.X implements `db' source for glibc2
160 /lib/libnss_dns.so.X implements `dns' source for glibc2
161 /lib/libnss_files.so.X implements `files' source for glibc2
162 /lib/libnss_hesiod.so.X implements `hesiod' source for glibc2
163 /lib/libnss_nis.so.X implements `nis' source for glibc2
164 /lib/libnss_nisplus.so.2 implements `nisplus' source for glibc 2.1
165
167 Within each process that uses nsswitch.conf, the entire file is read
168 only once; if the file is later changed, the process will continue
169 using the old configuration.
170 With Solaris, it isn't possible to link programs using the NSS Service
172 statically. With Linux, this is no problem.
173
175 This page is part of release 3.22 of the Linux man-pages project. A
176 description of the project, and information about reporting bugs, can
177 be found at http://www.kernel.org/doc/man-pages/.
178Linux 1999-01-17 NSSWITCH.CONF(5)