1NSSWITCH.CONF(5)           Linux Programmer's Manual          NSSWITCH.CONF(5)
2
3
4

NAME

6       nsswitch.conf - Name Service Switch configuration file
7

DESCRIPTION

9       The  Name  Service Switch (NSS) configuration file, /etc/nsswitch.conf,
10       is used by the GNU C Library and certain other applications  to  deter‐
11       mine  the  sources  from  which to obtain name-service information in a
12       range of categories, and in what order.  Each category  of  information
13       is identified by a database name.
14
15       The  file  is plain ASCII text, with columns separated by spaces or tab
16       characters.  The first column specifies the database name.  The remain‐
17       ing columns describe the order of sources to query and a limited set of
18       actions that can be performed by lookup result.
19
20       The following databases are understood by the GNU C Library:
21
22       aliases     Mail aliases, used by getaliasent(3) and related functions.
23
24       ethers      Ethernet numbers.
25
26       group       Groups of users, used by getgrent(3) and related functions.
27
28       hosts       Host  names  and  numbers,  used  by  gethostbyname(3)  and
29                   related functions.
30
31       initgroups  Supplementary  group  access  list, used by getgrouplist(3)
32                   function.
33
34       netgroup    Network-wide list of  hosts  and  users,  used  for  access
35                   rules.   C  libraries  before glibc 2.1 supported netgroups
36                   only over NIS.
37
38       networks    Network names and numbers, used by getnetent(3) and related
39                   functions.
40
41       passwd      User passwords, used by getpwent(3) and related functions.
42
43       protocols   Network protocols, used by getprotoent(3) and related func‐
44                   tions.
45
46       publickey   Public and secret keys for Secure_RPC used by NFS and NIS+.
47
48       rpc         Remote procedure call names and numbers, used by  getrpcby‐
49                   name(3) and related functions.
50
51       services    Network  services,  used by getservent(3) and related func‐
52                   tions.
53
54       shadow      Shadow user passwords,  used  by  getspnam(3)  and  related
55                   functions.
56
57       The  GNU C Library ignores databases with unknown names.  Some applica‐
58       tions use this to implement special handling for their  own  databases.
59       For example, sudo(8) consults the sudoers database.
60
61       Here is an example /etc/nsswitch.conf file:
62
63           passwd:         compat
64           group:          compat
65           shadow:         compat
66
67           hosts:          dns [!UNAVAIL=return] files
68           networks:       nis [NOTFOUND=return] files
69           ethers:         nis [NOTFOUND=return] files
70           protocols:      nis [NOTFOUND=return] files
71           rpc:            nis [NOTFOUND=return] files
72           services:       nis [NOTFOUND=return] files
73
74       The first column is the database name.  The remaining columns specify:
75
76       *  One  or  more service specifications, for example, "files", "db", or
77          "nis".  The order of the services on the line determines  the  order
78          in  which those services will be queried, in turn, until a result is
79          found.
80
81       *  Optional actions to perform if a particular result is obtained  from
82          the preceding service, for example, "[NOTFOUND=return]".
83
84       The service specifications supported on your system depend on the pres‐
85       ence of shared libraries,  and  are  therefore  extensible.   Libraries
86       called  /lib/libnss_SERVICE.so.X  will provide the named SERVICE.  On a
87       standard installation, you can use "files", "db", "nis", and "nisplus".
88       For  the  hosts  database, you can additionally specify "dns".  For the
89       passwd, group, and shadow databases, you can additionally specify "com‐
90       pat" (see Compatibility mode below).  The version number X may be 1 for
91       glibc 2.0, or 2 for glibc 2.1 and later.  On  systems  with  additional
92       libraries  installed,  you  may have access to further services such as
93       "hesiod", "ldap", "winbind" and "wins".
94
95       If System Security Services Daemon (SSSD) is installed on your  system,
96       you  can  use  this  service with the "sss" keyword.  SSSD supports the
97       following databases: passwd, group, services and netgroup.
98
99       An action may also be specified following a service specification.  The
100       action  modifies the behavior following a result obtained from the pre‐
101       ceding data source.  Action items take the general form:
102
103           [STATUS=ACTION]
104           [!STATUS=ACTION]
105
106       where
107
108           STATUS => success | notfound | unavail | tryagain
109           ACTION => return | continue | merge
110
111       The ! negates the test, matching all possible results  except  the  one
112       specified.  The case of the keywords is not significant.
113
114       The  STATUS  value is matched against the result of the lookup function
115       called by the preceding service specification, and can be one of:
116
117           success     No error occurred and the requested entry is  returned.
118                       The default action for this condition is "return".
119
120           notfound    The  lookup  succeeded, but the requested entry was not
121                       found.  The default action for this condition is  "con‐
122                       tinue".
123
124           unavail     The  service is permanently unavailable.  This can mean
125                       either that the required file cannot be read,  or,  for
126                       network  services,  that the server is not available or
127                       does not allow queries.  The default  action  for  this
128                       condition is "continue".
129
130           tryagain    The  service  is  temporarily  unavailable.  This could
131                       mean a file is locked  or  a  server  currently  cannot
132                       accept  more  connections.  The default action for this
133                       condition is "continue".
134
135       The ACTION value can be one of:
136
137           return      Return a result now.  Do not call  any  further  lookup
138                       functions.  However, for compatibility reasons, if this
139                       is the selected action for the group database  and  the
140                       notfound  status,  and  the configuration file does not
141                       contain the initgroups line, the next  lookup  function
142                       is always called, without affecting the search result.
143
144           continue    Call the next lookup function.
145
146           merge       [SUCCESS=merge]  is  used between two database entries.
147                       When a group is located in the first of the  two  group
148                       entries,  processing  will continue on to the next one.
149                       If the group is also found in the next entry  (and  the
150                       group name and GID are an exact match), the member list
151                       of the second entry will be added to the  group  object
152                       to be returned.  Available since glibc 2.24.  Note that
153                       merging will not  be  done  for  getgrent(3)  nor  will
154                       duplicate  members  be  pruned  when they occur in both
155                       entries being merged.
156
157   Compatibility mode (compat)
158       The NSS "compat" service is similar to "files" except that it addition‐
159       ally  permits special entries in corresponding files for granting users
160       or members of netgroups access to the system.   The  following  entries
161       are valid in this mode:
162
163           For passwd and shadow databases:
164
165               +user       Include   the   specified   user   from   the   NIS
166                           passwd/shadow map.
167
168               +@netgroup  Include all users in the given netgroup.
169
170               -user       Exclude   the   specified   user   from   the   NIS
171                           passwd/shadow map.
172
173               -@netgroup  Exclude all users in the given netgroup.
174
175               +           Include  every  user,  except  previously  excluded
176                           ones, from the NIS passwd/shadow map.
177
178           For group database:
179
180               +group      Include the specified group from the NIS group map.
181
182               -group      Exclude the specified group from the NIS group map.
183
184               +           Include every  group,  except  previously  excluded
185                           ones, from the NIS group map.
186
187       By default, the source is "nis", but this may be overridden by specify‐
188       ing any NSS service except  "compat"  itself  as  the  source  for  the
189       pseudo-databases passwd_compat, group_compat, and shadow_compat.
190
191       If  SSSD  is  installed on your system, you can use "sss" as the source
192       for these pseudo-databases.
193

FILES

195       A service named SERVICE is implemented by a shared object library named
196       libnss_SERVICE.so.X that resides in /lib.
197
198           /etc/nsswitch.conf       NSS configuration file.
199           /lib/libnss_compat.so.X  implements "compat" source.
200           /lib/libnss_db.so.X      implements "db" source.
201           /lib/libnss_dns.so.X     implements "dns" source.
202           /lib/libnss_files.so.X   implements "files" source.
203           /lib/libnss_hesiod.so.X  implements "hesiod" source.
204           /lib/libnss_nis.so.X     implements "nis" source.
205           /lib/libnss_nisplus.so.X implements "nisplus" source.
206
207       The  following  files  are  read  when  "files" source is specified for
208       respective databases:
209
210           aliases     /etc/aliases
211           ethers      /etc/ethers
212           group       /etc/group
213           hosts       /etc/hosts
214           initgroups  /etc/group
215           netgroup    /etc/netgroup
216           networks    /etc/networks
217           passwd      /etc/passwd
218           protocols   /etc/protocols
219           publickey   /etc/publickey
220           rpc         /etc/rpc
221           services    /etc/services
222           shadow      /etc/shadow
223

NOTES

225       Within each process that uses nsswitch.conf, the entire  file  is  read
226       only  once.   If  the  file is later changed, the process will continue
227       using the old configuration.
228
229       Traditionally, there was only a single source for service  information,
230       often  in  the form of a single configuration file (e.g., /etc/passwd).
231       However, as other name services, such as the Network  Information  Ser‐
232       vice  (NIS) and the Domain Name Service (DNS), became popular, a method
233       was needed that would be more flexible than fixed search  orders  coded
234       into the C library.  The Name Service Switch mechanism, which was based
235       on the mechanism used by Sun Microsystems in the Solaris 2  C  library,
236       introduced a cleaner solution to the problem.
237

SEE ALSO

239       getent(1), nss(5)
240

COLOPHON

242       This  page  is  part of release 4.15 of the Linux man-pages project.  A
243       description of the project, information about reporting bugs,  and  the
244       latest     version     of     this    page,    can    be    found    at
245       https://www.kernel.org/doc/man-pages/.
246
247
248
249Linux                             2017-05-03                  NSSWITCH.CONF(5)
Impressum