1NSSWITCH.CONF(5)           Linux Programmer's Manual          NSSWITCH.CONF(5)
2
3
4

NAME

6       nsswitch.conf  - System Databases and Name Service Switch configuration
7       file
8

DESCRIPTION

10       Various functions in the C Library need to be configured to  work  cor‐
11       rectly in the local environment.  Traditionally, this was done by using
12       files (e.g., /etc/passwd), but other  nameservices  (like  the  Network
13       Information  Service  (NIS)  and  the Domain Name Service (DNS)) became
14       popular, and were hacked into the  C  library,  usually  with  a  fixed
15       search order.
16
17       The  Linux libc5 with NYS support and the GNU C Library 2.x (libc.so.6)
18       contain a cleaner solution of this problem.  It  is  designed  after  a
19       method used by Sun Microsystems in the C library of Solaris 2.  We fol‐
20       low their name and call this scheme "Name Service Switch"  (NSS).   The
21       sources for the "databases" and their lookup order are specified in the
22       /etc/nsswitch.conf file.
23
24       The following databases are available in the NSS:
25
26       aliases
27              Mail aliases, provides a system-wide mechanism to redirect  mail
28              for local recipients. Used by mail transfer agents such as Post‐
29              fix or sendmail(8).  Note: On Linux, not like on  other  Unices,
30              Sendmail  uses  its own aliases resolution system independent on
31              `/etc/nsswitch.conf'.
32
33       ethers Ethernet numbers.
34
35       group  Groups of users, used by getgrent(3) functions.
36
37       hosts  Host names and numbers, used  by  gethostbyname(3)  and  similar
38              functions.
39
40       netgroup
41              Network  wide list of hosts and users, used for access rules.  C
42              libraries before glibc 2.1 only support netgroups over NIS.
43
44       networks
45              Network names and numbers, used by getnetent(3) functions.
46
47       passwd User passwords, used by getpwent(3) functions.
48
49       protocols
50              Network protocols, used by getprotoent(3) functions.
51
52       publickey
53              Public and secret keys for Secure_RPC used by NFS and NIS+.
54
55       rpc    Remote procedure call names and numbers, used by getrpcbyname(3)
56              and similar functions.
57
58       services
59              Network services, used by getservent(3) functions.
60
61       shadow Shadow user passwords, used by getspnam(3).
62
63       An  example /etc/nsswitch.conf (namely, the default used when /etc/nss‐
64       witch.conf is missing):
65
66       passwd:         compat
67       group:          compat
68       shadow:         compat
69
70       hosts:          dns [!UNAVAIL=return] files
71       networks:       nis [NOTFOUND=return] files
72       ethers:         nis [NOTFOUND=return] files
73       protocols:      nis [NOTFOUND=return] files
74       rpc:            nis [NOTFOUND=return] files
75       services:       nis [NOTFOUND=return] files
76
77       The first column is the database.  The rest of the line  specifies  how
78       the  lookup  process  works.  You can specify the way it works for each
79       database individually.
80
81       The configuration specification for each database can contain two  dif‐
82       ferent items:
83       * The service specification like `files', `db', or `nis'.
84       * The reaction on lookup result like `[NOTFOUND=return]'.
85
86       For  libc5  with  NYS,  the allowed service specifications are `files',
87       `nis', and `nisplus'.  For hosts, you could specify `dns' as extra ser‐
88       vice, for passwd and group `compat', but not for shadow.
89
90       For  glibc,  you  must  have a file called /lib/libnss_SERVICE.so.X for
91       every SERVICE you are using.  On a standard installation, you could use
92       `files',  `db',  `nis',  and  `nisplus'.   For hosts, you could specify
93       `dns' as extra service, for passwd, group, and shadow `compat'.   These
94       services will not be used by libc5 with NYS.  The version number X is 1
95       for glibc 2.0 and 2 for glibc 2.1.
96
97       The second item in the specification gives the user much finer  control
98       on  the  lookup  process.   Action items are placed between two service
99       names and are written within brackets.  The general form is
100
101       `[' ( `!'? STATUS `=' ACTION )+ `]'
102
103       where
104
105       STATUS => success | notfound | unavail | tryagain
106       ACTION => return | continue
107
108       The case of the keywords is insignificant.  The STATUS values  are  the
109       results  of  a  call  to a lookup function of a specific service.  They
110       mean:
111
112       success
113              No error occurred and the wanted entry is returned.  The default
114              action for this is `return'.
115
116       notfound
117              The  lookup process works ok but the needed value was not found.
118              The default action is `continue'.
119
120       unavail
121              The service is permanently unavailable.  This  can  either  mean
122              the needed file is not available, or, for DNS, the server is not
123              available or does not allow  queries.   The  default  action  is
124              `continue'.
125
126       tryagain
127              The  service is temporarily unavailable.  This could mean a file
128              is locked or a server currently cannot accept more  connections.
129              The default action is `continue'.
130
131   Interaction with +/- syntax (compat mode)
132       Linux  libc5 without NYS does not have the name service switch but does
133       allow the user some policy control.   In  /etc/passwd  you  could  have
134       entries  of  the  form  +user or +@netgroup (include the specified user
135       from the NIS passwd map), -user or -@netgroup  (exclude  the  specified
136       user),  and  +  (include every user, except the excluded ones, from the
137       NIS passwd map).  Since most  people  only  put  a  +  at  the  end  of
138       /etc/passwd  to  include  everything  from  NIS,  the switch provides a
139       faster alternative for this case (`passwd: files  nis')  which  doesn't
140       require the single + entry in /etc/passwd, /etc/group, and /etc/shadow.
141       If this is not sufficient, the NSS `compat' service provides  full  +/-
142       semantics.  By default, the source is `nis', but this may be overridden
143       by specifying `nisplus' as source for the pseudo-databases  passwd_com‐
144       pat,  group_compat  and shadow_compat.  These pseudo-databases are only
145       available in GNU C Library.
146

FILES

148       A service named SERVICE is implemented by a shared object library named
149       libnss_SERVICE.so.X that resides in /lib.
150
151       /etc/nsswitch.conf       configuration file
152       /lib/libnss_compat.so.X  implements `compat' source for glibc2
153       /lib/libnss_db.so.X      implements `db' source for glibc2
154       /lib/libnss_dns.so.X     implements `dns' source for glibc2
155       /lib/libnss_files.so.X   implements `files' source for glibc2
156       /lib/libnss_hesiod.so.X  implements `hesiod' source for glibc2
157       /lib/libnss_nis.so.X     implements `nis' source for glibc2
158       /lib/libnss_nisplus.so.2 implements `nisplus' source for glibc 2.1
159

NOTES

161       Within  each  process  that uses nsswitch.conf, the entire file is read
162       only once; if the file is later  changed,  the  process  will  continue
163       using the old configuration.
164
165       With  Solaris, it isn't possible to link programs using the NSS Service
166       statically.  With Linux, this is no problem.
167

COLOPHON

169       This page is part of release 3.25 of the Linux  man-pages  project.   A
170       description  of  the project, and information about reporting bugs, can
171       be found at http://www.kernel.org/doc/man-pages/.
172
173
174
175Linux                             1999-01-17                  NSSWITCH.CONF(5)
Impressum