1NSS-SYSTEMD(8)                    nss-systemd                   NSS-SYSTEMD(8)
2
3
4

NAME

6       nss-systemd, libnss_systemd.so.2 - UNIX user and group name resolution
7       for user/group lookup via Varlink
8

SYNOPSIS

10       libnss_systemd.so.2
11

DESCRIPTION

13       nss-systemd is a plug-in module for the GNU Name Service Switch (NSS)
14       functionality of the GNU C Library (glibc), providing UNIX user and
15       group name resolution for services implementing the User/Group Record
16       Lookup API via Varlink[1], such as the system and service manager
17       systemd(1) (for its DynamicUser= feature, see systemd.exec(5) for
18       details), systemd-homed.service(8), or systemd-machined.service(8).
19
20       This module also ensures that the root and nobody users and groups
21       (i.e. the users/groups with the UIDs/GIDs 0 and 65534) remain
22       resolvable at all times, even if they aren't listed in /etc/passwd or
23       /etc/group, or if these files are missing.
24
25       This module preferably utilizes systemd-userdbd.service(8) for
26       resolving users and groups, but also works without the service running.
27
28       To activate the NSS module, add "systemd" to the lines starting with
29       "passwd:", "group:", "shadow:" and "gshadow:" in /etc/nsswitch.conf.
30
31       It is recommended to place "systemd" after the "files" or "compat"
32       entry of the /etc/nsswitch.conf lines so that /etc/passwd, /etc/group,
33       /etc/shadow and /etc/gshadow based mappings take precedence.
34

STATIC DROP-IN JSON USER/GROUP RECORDS

36       Besides user/group records acquired via the aforementioned Varlink IPC
37       interfaces and the synthesized root and nobody accounts, this module
38       also makes user and group accounts available to the system that are
39       defined in static drop-in files in the /etc/userdb/, /run/userdb/,
40       /run/host/userdb/ and /usr/lib/userdb/ directories.
41
42       This is a simple mechanism to provide static user and group records via
43       JSON drop-in files. Such user records should be defined in the format
44       described by the JSON User Records[2] specification and be placed in
45       one of the aforementioned directories under a file name composed of the
46       user name suffixed with .user, with a world-readable access mode. A
47       symlink named after the user record's UID formatted in decimal and
48       suffixed with .user pointing to the primary record file should be
49       created as well, in order to allow both lookups by username and by UID.
50       Privileged user record data (e.g. hashed UNIX passwords) may optionally
51       be provided as well, in a pair of separate companion files with the
52       .user-privileged suffix. The data should be stored in a regular file
53       named after the user name, suffixed with .user-privileged, and a
54       symlink pointing to it, named after the used numeric UID formatted in
55       decimal with the same suffix. These companion files should not be
56       readable to anyone but root. Example:
57
58           -rw-r--r--. 1 root root  723 May 10 foobar.user
59           -rw-------. 1 root root  123 May 10 foobar.user-privileged
60           lrwxrwxrwx. 1 root root   19 May 10 4711.user -> foobar.user
61           lrwxrwxrwx. 1 root root   19 May 10 4711.user-privileged -> foobar.user-privileged
62
63       Similarly, group records following the format described in JSON Group
64       Record[3] may be defined, using the file suffixes .group and
65       .group-privileged.
66
67       The primary user/group record files (i.e. those with the .user and
68       .group suffixes) should not contain the "privileged" section as
69       described in the specifications. The privileged user/group record files
70       (i.e. those with the .user-privileged and .group-privileged suffixes)
71       should contain this section, exclusively.
72
73       Note that static user/group records generally do not override
74       conflicting records in /etc/passwd or /etc/group or other account
75       databases. In fact, before dropping in these files a reasonable level
76       of care should be taken to avoid user/group name and UID/GID conflicts.
77

CONFIGURATION IN /ETC/NSSWITCH.CONF

79       Here is an example /etc/nsswitch.conf file that enables nss-systemd
80       correctly:
81
82           passwd:         compat systemd
83           group:          compat [SUCCESS=merge] systemd
84           shadow:         compat systemd
85           gshadow:        files systemd
86
87           hosts:          mymachines resolve [!UNAVAIL=return] files myhostname dns
88           networks:       files
89
90           protocols:      db files
91           services:       db files
92           ethers:         db files
93           rpc:            db files
94
95           netgroup:       nis
96

EXAMPLE: MAPPINGS PROVIDED BY SYSTEMD-MACHINED.SERVICE

98       The container "rawhide" is spawned using systemd-nspawn(1):
99
100           # systemd-nspawn -M rawhide --boot --network-veth --private-users=pick
101           Spawning container rawhide on /var/lib/machines/rawhide.
102           Selected user namespace base 20119552 and range 65536.
103           ...
104
105           $ machinectl --max-addresses=3
106           MACHINE CLASS     SERVICE        OS     VERSION ADDRESSES
107           rawhide container systemd-nspawn fedora 30      169.254.40.164 fe80::94aa:3aff:fe7b:d4b9
108
109           $ getent passwd vu-rawhide-0 vu-rawhide-81
110           vu-rawhide-0:*:20119552:65534:vu-rawhide-0:/:/usr/sbin/nologin
111           vu-rawhide-81:*:20119633:65534:vu-rawhide-81:/:/usr/sbin/nologin
112
113           $ getent group vg-rawhide-0 vg-rawhide-81
114           vg-rawhide-0:*:20119552:
115           vg-rawhide-81:*:20119633:
116
117           $ ps -o user:15,pid,tty,command -e|grep '^vu-rawhide'
118           vu-rawhide-0      692 ?        /usr/lib/systemd/systemd
119           vu-rawhide-0      731 ?        /usr/lib/systemd/systemd-journald
120           vu-rawhide-192    734 ?        /usr/lib/systemd/systemd-networkd
121           vu-rawhide-193    738 ?        /usr/lib/systemd/systemd-resolved
122           vu-rawhide-0      742 ?        /usr/lib/systemd/systemd-logind
123           vu-rawhide-81     744 ?        /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
124           vu-rawhide-0      746 ?        /usr/sbin/sshd -D ...
125           vu-rawhide-0      752 ?        /usr/lib/systemd/systemd --user
126           vu-rawhide-0      753 ?        (sd-pam)
127           vu-rawhide-0     1628 ?        login -- zbyszek
128           vu-rawhide-1000  1630 ?        /usr/lib/systemd/systemd --user
129           vu-rawhide-1000  1631 ?        (sd-pam)
130           vu-rawhide-1000  1637 pts/8    -zsh
131

SEE ALSO

133       systemd(1), systemd.exec(5), nss-resolve(8), nss-myhostname(8), nss-
134       mymachines(8), systemd-userdbd.service(8), systemd-homed.service(8),
135       systemd-machined.service(8), nsswitch.conf(5), getent(1)
136

NOTES

138        1. User/Group Record Lookup API via Varlink
139           https://systemd.io/USER_GROUP_API
140
141        2. JSON User Records
142           https://systemd.io/USER_RECORD
143
144        3. JSON Group Record
145           https://systemd.io/GROUP_RECORD
146
147
148
149systemd 253                                                     NSS-SYSTEMD(8)
Impressum