1NSSWITCH.CONF(5) Linux Programmer's Manual NSSWITCH.CONF(5)
2
3
4
6 nsswitch.conf - System Databases and Name Service Switch configuration
7 file
8
10 Various functions in the C Library need to be configured to work cor‐
11 rectly in the local environment. Traditionally, this was done by using
12 files (e.g., /etc/passwd), but other nameservices (like the Network
13 Information Service (NIS) and the Domain Name Service (DNS)) became
14 popular, and were hacked into the C library, usually with a fixed
15 search order.
16
17 The Linux libc5 with NYS support and the GNU C Library 2.x (libc.so.6)
18 contain a cleaner solution of this problem. It is designed after a
19 method used by Sun Microsystems in the C library of Solaris 2. We fol‐
20 low their name and call this scheme "Name Service Switch" (NSS). The
21 sources for the "databases" and their lookup order are specified in the
22 /etc/nsswitch.conf file.
23
24 The following databases are available in the NSS:
25
26 aliases
27 Mail aliases, provides a system-wide mechanism to redirect mail
28 for local recipients. Used by mail transfer agents such as Post‐
29 fix or sendmail(8). Note: On Linux, not like on other Unices,
30 Sendmail uses its own aliases resolution system independent on
31 `/etc/nsswitch.conf'.
32
33 ethers Ethernet numbers.
34
35 group Groups of users, used by getgrent(3) functions.
36
37 hosts Host names and numbers, used by gethostbyname(3) and similar
38 functions.
39
40 netgroup
41 Network wide list of hosts and users, used for access rules. C
42 libraries before glibc 2.1 only support netgroups over NIS.
43
44 networks
45 Network names and numbers, used by getnetent(3) functions.
46
47 passwd User passwords, used by getpwent(3) functions.
48
49 protocols
50 Network protocols, used by getprotoent(3) functions.
51
52 publickey
53 Public and secret keys for Secure_RPC used by NFS and NIS+.
54
55 rpc Remote procedure call names and numbers, used by getrpcbyname(3)
56 and similar functions.
57
58 services
59 Network services, used by getservent(3) functions.
60
61 shadow Shadow user passwords, used by getspnam(3).
62
63 An example /etc/nsswitch.conf (namely, the default used when /etc/nss‐
64 witch.conf is missing):
65
66 passwd: compat
67 group: compat
68 shadow: compat
69
70 hosts: dns [!UNAVAIL=return] files
71 networks: nis [NOTFOUND=return] files
72 ethers: nis [NOTFOUND=return] files
73 protocols: nis [NOTFOUND=return] files
74 rpc: nis [NOTFOUND=return] files
75 services: nis [NOTFOUND=return] files
76
77 The first column is the database. The rest of the line specifies how
78 the lookup process works. You can specify the way it works for each
79 database individually.
80
81 The configuration specification for each database can contain two dif‐
82 ferent items:
83 * The service specification like `files', `db', or `nis'.
84 * The reaction on lookup result like `[NOTFOUND=return]'.
85
86 For libc5 with NYS, the allowed service specifications are `files',
87 `nis', and `nisplus'. For hosts, you could specify `dns' as extra ser‐
88 vice, for passwd and group `compat', but not for shadow.
89
90 For glibc, you must have a file called /lib/libnss_SERVICE.so.X for
91 every SERVICE you are using. On a standard installation, you could use
92 `files', `db', `nis', and `nisplus'. For hosts, you could specify
93 `dns' as extra service, for passwd, group, and shadow `compat'. These
94 services will not be used by libc5 with NYS. The version number X is 1
95 for glibc 2.0 and 2 for glibc 2.1.
96
97 The second item in the specification gives the user much finer control
98 on the lookup process. Action items are placed between two service
99 names and are written within brackets. The general form is
100
101 `[' ( `!'? STATUS `=' ACTION )+ `]'
102
103 where
104
105 STATUS => success | notfound | unavail | tryagain
106 ACTION => return | continue
107
108 The case of the keywords is insignificant. The STATUS values are the
109 results of a call to a lookup function of a specific service. They
110 mean:
111
112 success
113 No error occurred and the wanted entry is returned. The default
114 action for this is `return'.
115
116 notfound
117 The lookup process works ok but the needed value was not found.
118 The default action is `continue'.
119
120 unavail
121 The service is permanently unavailable. This can either mean
122 the needed file is not available, or, for DNS, the server is not
123 available or does not allow queries. The default action is
124 `continue'.
125
126 tryagain
127 The service is temporarily unavailable. This could mean a file
128 is locked or a server currently cannot accept more connections.
129 The default action is `continue'.
130
131 Interaction with +/- syntax (compat mode)
132 Linux libc5 without NYS does not have the name service switch but does
133 allow the user some policy control. In /etc/passwd you could have
134 entries of the form +user or +@netgroup (include the specified user
135 from the NIS passwd map), -user or -@netgroup (exclude the specified
136 user), and + (include every user, except the excluded ones, from the
137 NIS passwd map). Since most people only put a + at the end of
138 /etc/passwd to include everything from NIS, the switch provides a
139 faster alternative for this case (`passwd: files nis') which doesn't
140 require the single + entry in /etc/passwd, /etc/group, and /etc/shadow.
141 If this is not sufficient, the NSS `compat' service provides full +/-
142 semantics. By default, the source is `nis', but this may be overridden
143 by specifying `nisplus' as source for the pseudo-databases passwd_com‐
144 pat, group_compat and shadow_compat. These pseudo-databases are only
145 available in GNU C Library.
146
148 A service named SERVICE is implemented by a shared object library named
149 libnss_SERVICE.so.X that resides in /lib.
150
151 /etc/nsswitch.conf configuration file
152 /lib/libnss_compat.so.X implements `compat' source for glibc2
153 /lib/libnss_db.so.X implements `db' source for glibc2
154 /lib/libnss_dns.so.X implements `dns' source for glibc2
155 /lib/libnss_files.so.X implements `files' source for glibc2
156 /lib/libnss_hesiod.so.X implements `hesiod' source for glibc2
157 /lib/libnss_nis.so.X implements `nis' source for glibc2
158 /lib/libnss_nisplus.so.2 implements `nisplus' source for glibc 2.1
159
161 Within each process that uses nsswitch.conf, the entire file is read
162 only once; if the file is later changed, the process will continue
163 using the old configuration.
164
165 With Solaris, it isn't possible to link programs using the NSS Service
166 statically. With Linux, this is no problem.
167
169 This page is part of release 3.25 of the Linux man-pages project. A
170 description of the project, and information about reporting bugs, can
171 be found at http://www.kernel.org/doc/man-pages/.
172
173
174
175Linux 1999-01-17 NSSWITCH.CONF(5)