1NSSWITCH.CONF(5) Linux Programmer's Manual NSSWITCH.CONF(5)
2
3
4
6 nsswitch.conf - Name Service Switch configuration file
7
9 The Name Service Switch (NSS) configuration file, /etc/nsswitch.conf,
10 is used by the GNU C Library and certain other applications to deter‐
11 mine the sources from which to obtain name-service information in a
12 range of categories, and in what order. Each category of information
13 is identified by a database name.
14
15 The file is plain ASCII text, with columns separated by spaces or tab
16 characters. The first column specifies the database name. The remain‐
17 ing columns describe the order of sources to query and a limited set of
18 actions that can be performed by lookup result.
19
20 The following databases are understood by the GNU C Library:
21
22 aliases Mail aliases, used by getaliasent(3) and related functions.
23
24 ethers Ethernet numbers.
25
26 group Groups of users, used by getgrent(3) and related functions.
27
28 hosts Host names and numbers, used by gethostbyname(3) and
29 related functions.
30
31 initgroups Supplementary group access list, used by getgrouplist(3)
32 function.
33
34 netgroup Network-wide list of hosts and users, used for access
35 rules. C libraries before glibc 2.1 supported netgroups
36 only over NIS.
37
38 networks Network names and numbers, used by getnetent(3) and related
39 functions.
40
41 passwd User passwords, used by getpwent(3) and related functions.
42
43 protocols Network protocols, used by getprotoent(3) and related func‐
44 tions.
45
46 publickey Public and secret keys for Secure_RPC used by NFS and NIS+.
47
48 rpc Remote procedure call names and numbers, used by getrpcby‐
49 name(3) and related functions.
50
51 services Network services, used by getservent(3) and related func‐
52 tions.
53
54 shadow Shadow user passwords, used by getspnam(3) and related
55 functions.
56
57 The GNU C Library ignores databases with unknown names. Some applica‐
58 tions use this to implement special handling for their own databases.
59 For example, sudo(8) consults the sudoers database.
60
61 Here is an example /etc/nsswitch.conf file:
62
63 passwd: compat
64 group: compat
65 shadow: compat
66
67 hosts: dns [!UNAVAIL=return] files
68 networks: nis [NOTFOUND=return] files
69 ethers: nis [NOTFOUND=return] files
70 protocols: nis [NOTFOUND=return] files
71 rpc: nis [NOTFOUND=return] files
72 services: nis [NOTFOUND=return] files
73
74 The first column is the database name. The remaining columns specify:
75
76 * One or more service specifications, for example, "files", "db", or
77 "nis". The order of the services on the line determines the order
78 in which those services will be queried, in turn, until a result is
79 found.
80
81 * Optional actions to perform if a particular result is obtained from
82 the preceding service, for example, "[NOTFOUND=return]".
83
84 The service specifications supported on your system depend on the pres‐
85 ence of shared libraries, and are therefore extensible. Libraries
86 called /lib/libnss_SERVICE.so.X will provide the named SERVICE. On a
87 standard installation, you can use "files", "db", "nis", and "nisplus".
88 For the hosts database, you can additionally specify "dns". For the
89 passwd, group, and shadow databases, you can additionally specify "com‐
90 pat" (see Compatibility mode below). The version number X may be 1 for
91 glibc 2.0, or 2 for glibc 2.1 and later. On systems with additional
92 libraries installed, you may have access to further services such as
93 "hesiod", "ldap", "winbind" and "wins".
94
95 If System Security Services Daemon (SSSD) is installed on your system,
96 you can use this service with the "sss" keyword. SSSD supports the
97 following databases: passwd, group, services and netgroup.
98
99 An action may also be specified following a service specification. The
100 action modifies the behavior following a result obtained from the pre‐
101 ceding data source. Action items take the general form:
102
103 [STATUS=ACTION]
104 [!STATUS=ACTION]
105
106 where
107
108 STATUS => success | notfound | unavail | tryagain
109 ACTION => return | continue | merge
110
111 The ! negates the test, matching all possible results except the one
112 specified. The case of the keywords is not significant.
113
114 The STATUS value is matched against the result of the lookup function
115 called by the preceding service specification, and can be one of:
116
117 success No error occurred and the requested entry is returned.
118 The default action for this condition is "return".
119
120 notfound The lookup succeeded, but the requested entry was not
121 found. The default action for this condition is "con‐
122 tinue".
123
124 unavail The service is permanently unavailable. This can mean
125 either that the required file cannot be read, or, for
126 network services, that the server is not available or
127 does not allow queries. The default action for this
128 condition is "continue".
129
130 tryagain The service is temporarily unavailable. This could
131 mean a file is locked or a server currently cannot
132 accept more connections. The default action for this
133 condition is "continue".
134
135 The ACTION value can be one of:
136
137 return Return a result now. Do not call any further lookup
138 functions. However, for compatibility reasons, if this
139 is the selected action for the group database and the
140 notfound status, and the configuration file does not
141 contain the initgroups line, the next lookup function
142 is always called, without affecting the search result.
143
144 continue Call the next lookup function.
145
146 merge [SUCCESS=merge] is used between two database entries.
147 When a group is located in the first of the two group
148 entries, processing will continue on to the next one.
149 If the group is also found in the next entry (and the
150 group name and GID are an exact match), the member list
151 of the second entry will be added to the group object
152 to be returned. Available since glibc 2.24. Note that
153 merging will not be done for getgrent(3) nor will
154 duplicate members be pruned when they occur in both
155 entries being merged.
156
157 Compatibility mode (compat)
158 The NSS "compat" service is similar to "files" except that it addition‐
159 ally permits special entries in corresponding files for granting users
160 or members of netgroups access to the system. The following entries
161 are valid in this mode:
162
163 For passwd and shadow databases:
164
165 +user Include the specified user from the NIS
166 passwd/shadow map.
167
168 +@netgroup Include all users in the given netgroup.
169
170 -user Exclude the specified user from the NIS
171 passwd/shadow map.
172
173 -@netgroup Exclude all users in the given netgroup.
174
175 + Include every user, except previously excluded
176 ones, from the NIS passwd/shadow map.
177
178 For group database:
179
180 +group Include the specified group from the NIS group map.
181
182 -group Exclude the specified group from the NIS group map.
183
184 + Include every group, except previously excluded
185 ones, from the NIS group map.
186
187 By default, the source is "nis", but this may be overridden by specify‐
188 ing any NSS service except "compat" itself as the source for the
189 pseudo-databases passwd_compat, group_compat, and shadow_compat.
190
191 If SSSD is installed on your system, you can use "sss" as the source
192 for these pseudo-databases.
193
195 A service named SERVICE is implemented by a shared object library named
196 libnss_SERVICE.so.X that resides in /lib.
197
198 /etc/nsswitch.conf NSS configuration file.
199 /lib/libnss_compat.so.X implements "compat" source.
200 /lib/libnss_db.so.X implements "db" source.
201 /lib/libnss_dns.so.X implements "dns" source.
202 /lib/libnss_files.so.X implements "files" source.
203 /lib/libnss_hesiod.so.X implements "hesiod" source.
204 /lib/libnss_nis.so.X implements "nis" source.
205 /lib/libnss_nisplus.so.X implements "nisplus" source.
206
207 The following files are read when "files" source is specified for
208 respective databases:
209
210 aliases /etc/aliases
211 ethers /etc/ethers
212 group /etc/group
213 hosts /etc/hosts
214 initgroups /etc/group
215 netgroup /etc/netgroup
216 networks /etc/networks
217 passwd /etc/passwd
218 protocols /etc/protocols
219 publickey /etc/publickey
220 rpc /etc/rpc
221 services /etc/services
222 shadow /etc/shadow
223
225 Within each process that uses nsswitch.conf, the entire file is read
226 only once. If the file is later changed, the process will continue
227 using the old configuration.
228
229 Traditionally, there was only a single source for service information,
230 often in the form of a single configuration file (e.g., /etc/passwd).
231 However, as other name services, such as the Network Information Ser‐
232 vice (NIS) and the Domain Name Service (DNS), became popular, a method
233 was needed that would be more flexible than fixed search orders coded
234 into the C library. The Name Service Switch mechanism, which was based
235 on the mechanism used by Sun Microsystems in the Solaris 2 C library,
236 introduced a cleaner solution to the problem.
237
239 getent(1), nss(5)
240
242 This page is part of release 4.15 of the Linux man-pages project. A
243 description of the project, information about reporting bugs, and the
244 latest version of this page, can be found at
245 https://www.kernel.org/doc/man-pages/.
246
247
248
249Linux 2017-05-03 NSSWITCH.CONF(5)