1NSS-SYSTEMD(8) nss-systemd NSS-SYSTEMD(8)
2
6 nss-systemd, libnss_systemd.so.2 - UNIX user and group name resolution
7 for user/group lookup via Varlink
8
10 libnss_systemd.so.2
11
13 nss-systemd is a plug-in module for the GNU Name Service Switch (NSS)
14 functionality of the GNU C Library (glibc), providing UNIX user and
15 group name resolution for services implementing the User/Group Record
16 Lookup API via Varlink[1], such as the system and service manager
17 systemd(1) (for its DynamicUser= feature, see systemd.exec(5) for
18 details), systemd-homed.service(8), or systemd-machined.service(8).
19 This module also ensures that the root and nobody users and groups
21 (i.e. the users/groups with the UIDs/GIDs 0 and 65534) remain
22 resolvable at all times, even if they aren't listed in /etc/passwd or
23 /etc/group, or if these files are missing.
24 This module preferably utilizes systemd-userdbd.service(8) for
26 resolving users and groups, but also works without the service running.
27 To activate the NSS module, add "systemd" to the lines starting with
29 "passwd:", "group:", "shadow:" and "gshadow:" in /etc/nsswitch.conf.
30 It is recommended to place "systemd" after the "files" or "compat"
32 entry of the /etc/nsswitch.conf lines so that /etc/passwd, /etc/group,
33 /etc/shadow and /etc/gshadow based mappings take precedence.
34
36 Besides user/group records acquired via the aforementioned Varlink IPC
37 interfaces and the synthesized root and nobody accounts, this module
38 also makes user and group accounts available to the system that are
39 defined in static drop-in files in the /etc/userdb/, /run/userdb/,
40 /run/host/userdb/ and /usr/lib/userdb/ directories.
41 This is a simple mechanism to provide static user and group records via
43 JSON drop-in files. Such user records should be defined in the format
44 described by the JSON User Records[2] specification and be placed in
45 one of the aforementioned directories under a file name composed of the
46 user name suffixed with .user, with a world-readable access mode. A
47 symlink named after the user record's UID formatted in decimal and
48 suffixed with .user pointing to the primary record file should be
49 created as well, in order to allow both lookups by username and by UID.
50 Privileged user record data (e.g. hashed UNIX passwords) may optionally
51 be provided as well, in a pair of separate companion files with the
52 .user-privileged suffix. The data should be stored in a regular file
53 named after the user name, suffixed with .user-privileged, and a
54 symlink pointing to it, named after the used numeric UID formatted in
55 decimal with the same suffix. These companion files should not be
56 readable to anyone but root. Example:
57 -rw-r--r--. 1 root root 723 May 10 foobar.user
59 -rw-------. 1 root root 123 May 10 foobar.user-privileged
60 lrwxrwxrwx. 1 root root 19 May 10 4711.user -> foobar.user
61 lrwxrwxrwx. 1 root root 19 May 10 4711.user-privileged -> foobar.user-privileged
62 Similarly, group records following the format described in JSON Group
64 Record[3] may be defined, using the file suffixes .group and
65 .group-privileged.
66 The primary user/group record files (i.e. those with the .user and
68 .group suffixes) should not contain the "privileged" section as
69 described in the specifications. The privileged user/group record files
70 (i.e. those with the .user-privileged and .group-privileged suffixes)
71 should contain this section, exclusively.
72 Note that static user/group records generally do not override
74 conflicting records in /etc/passwd or /etc/group or other account
75 databases. In fact, before dropping in these files a reasonable level
76 of care should be taken to avoid user/group name and UID/GID conflicts.
77
79 Here is an example /etc/nsswitch.conf file that enables nss-systemd
80 correctly:
81 passwd: compat systemd
83 group: compat [SUCCESS=merge] systemd
84 shadow: compat systemd
85 gshadow: files systemd
86 hosts: mymachines resolve [!UNAVAIL=return] files myhostname dns
88 networks: files
89 protocols: db files
91 services: db files
92 ethers: db files
93 rpc: db files
94 netgroup: nis
96
98 The container "rawhide" is spawned using systemd-nspawn(1):
99 # systemd-nspawn -M rawhide --boot --network-veth --private-users=pick
101 Spawning container rawhide on /var/lib/machines/rawhide.
102 Selected user namespace base 20119552 and range 65536.
103 ...
104 $ machinectl --max-addresses=3
106 MACHINE CLASS SERVICE OS VERSION ADDRESSES
107 rawhide container systemd-nspawn fedora 30 169.254.40.164 fe80::94aa:3aff:fe7b:d4b9
108 $ getent passwd vu-rawhide-0 vu-rawhide-81
110 vu-rawhide-0:*:20119552:65534:vu-rawhide-0:/:/usr/sbin/nologin
111 vu-rawhide-81:*:20119633:65534:vu-rawhide-81:/:/usr/sbin/nologin
112 $ getent group vg-rawhide-0 vg-rawhide-81
114 vg-rawhide-0:*:20119552:
115 vg-rawhide-81:*:20119633:
116 $ ps -o user:15,pid,tty,command -e|grep '^vu-rawhide'
118 vu-rawhide-0 692 ? /usr/lib/systemd/systemd
119 vu-rawhide-0 731 ? /usr/lib/systemd/systemd-journald
120 vu-rawhide-192 734 ? /usr/lib/systemd/systemd-networkd
121 vu-rawhide-193 738 ? /usr/lib/systemd/systemd-resolved
122 vu-rawhide-0 742 ? /usr/lib/systemd/systemd-logind
123 vu-rawhide-81 744 ? /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
124 vu-rawhide-0 746 ? /usr/sbin/sshd -D ...
125 vu-rawhide-0 752 ? /usr/lib/systemd/systemd --user
126 vu-rawhide-0 753 ? (sd-pam)
127 vu-rawhide-0 1628 ? login -- zbyszek
128 vu-rawhide-1000 1630 ? /usr/lib/systemd/systemd --user
129 vu-rawhide-1000 1631 ? (sd-pam)
130 vu-rawhide-1000 1637 pts/8 -zsh
131
133 systemd(1), systemd.exec(5), nss-resolve(8), nss-myhostname(8), nss-
134 mymachines(8), systemd-userdbd.service(8), systemd-homed.service(8),
135 systemd-machined.service(8), nsswitch.conf(5), getent(1)
136
138 1. User/Group Record Lookup API via Varlink
139 https://systemd.io/USER_GROUP_API
140 2. JSON User Records
142 https://systemd.io/USER_RECORD
143 3. JSON Group Record
145 https://systemd.io/GROUP_RECORD
146systemd 249 NSS-SYSTEMD(8)