NAME | DESCRIPTION | FILES | NOTES | COLOPHON
NSSWITCH.CONF(5) Linux Programmer's Manual NSSWITCH.CONF(5)
nsswitch.conf - System Databases and Name Service Switch configuration file
Various functions in the C Library need to be configured to work correctly in
the local environment. Traditionally, this was done by using files (e.g.,
/etc/passwd), but other nameservices (like the Network Information Service
(NIS) and the Domain Name Service (DNS)) became popular, and were hacked into
the C library, usually with a fixed search order.
The Linux libc5 with NYS support and the GNU C Library 2.x (libc.so.6) contain
a cleaner solution of this problem. It is designed after a method used by Sun
Microsystems in the C library of Solaris 2. We follow their name and call
this scheme "Name Service Switch" (NSS). The sources for the "databases" and
their lookup order are specified in the /etc/nsswitch.conf file.
The following databases are available in the NSS:
aliases
Mail aliases, used by sendmail(8). Presently ignored.
ethers Ethernet numbers.
group Groups of users, used by getgrent(3) functions.
hosts Host names and numbers, used by gethostbyname(3) and similar functions.
netgroup
Network wide list of hosts and users, used for access rules. C
libraries before glibc 2.1 only support netgroups over NIS.
networks
Network names and numbers, used by getnetent(3) functions.
passwd User passwords, used by getpwent(3) functions.
protocols
Network protocols, used by getprotoent(3) functions.
publickey
Public and secret keys for Secure_RPC used by NFS and NIS+.
rpc Remote procedure call names and numbers, used by getrpcbyname(3) and
similar functions.
services
Network services, used by getservent(3) functions.
shadow Shadow user passwords, used by getspnam(3).
An example /etc/nsswitch.conf (namely, the default used when
/etc/nsswitch.conf is missing):
passwd: compat
group: compat
shadow: compat
hosts: dns [!UNAVAIL=return] files
networks: nis [NOTFOUND=return] files
ethers: nis [NOTFOUND=return] files
protocols: nis [NOTFOUND=return] files
rpc: nis [NOTFOUND=return] files
services: nis [NOTFOUND=return] files
The first column is the database. The rest of the line specifies how the
lookup process works. You can specify the way it works for each database
individually.
The configuration specification for each database can contain two different
items:
* The service specification like `files', `db', or `nis'.
* The reaction on lookup result like `[NOTFOUND=return]'.
For libc5 with NYS, the allowed service specifications are `files', `nis', and
`nisplus'. For hosts, you could specify `dns' as extra service, for passwd
and group `compat', but not for shadow.
For glibc, you must have a file called /lib/libnss_SERVICE.so.X for every
SERVICE you are using. On a standard installation, you could use `files',
`db', `nis', and `nisplus'. For hosts, you could specify `dns' as extra
service, for passwd, group, and shadow `compat'. These services will not be
used by libc5 with NYS. The version number X is 1 for glibc 2.0 and 2 for
glibc 2.1.
The second item in the specification gives the user much finer control on the
lookup process. Action items are placed between two service names and are
written within brackets. The general form is
`[' ( `!'? STATUS `=' ACTION )+ `]'
where
STATUS => success | notfound | unavail | tryagain
ACTION => return | continue
The case of the keywords is insignificant. The STATUS values are the results
of a call to a lookup function of a specific service. They mean:
success
No error occurred and the wanted entry is returned. The default action
for this is `return'.
notfound
The lookup process works ok but the needed value was not found. The
default action is `continue'.
unavail
The service is permanently unavailable. This can either mean the
needed file is not available, or, for DNS, the server is not available
or does not allow queries. The default action is `continue'.
tryagain
The service is temporarily unavailable. This could mean a file is
locked or a server currently cannot accept more connections. The
default action is `continue'.
Linux libc5 without NYS does not have the name service switch but does allow
the user some policy control. In /etc/passwd you could have entries of the
form +user or +@netgroup (include the specified user from the NIS passwd map),
-user or -@netgroup (exclude the specified user), and + (include every user,
except the excluded ones, from the NIS passwd map). Since most people only
put a + at the end of /etc/passwd to include everything from NIS, the switch
provides a faster alternative for this case (`passwd: files nis') which
doesn't require the single + entry in /etc/passwd, /etc/group, and
/etc/shadow. If this is not sufficient, the NSS `compat' service provides
full +/- semantics. By default, the source is `nis', but this may be
overridden by specifying `nisplus' as source for the pseudo-databases
passwd_compat, group_compat and shadow_compat. These pseudo-databases are
only available in GNU C Library.
A service named SERVICE is implemented by a shared object library named
libnss_SERVICE.so.X that resides in /lib.
/etc/nsswitch.conf configuration file
/lib/libnss_compat.so.X implements `compat' source for glibc2
/lib/libnss_db.so.X implements `db' source for glibc2
/lib/libnss_dns.so.X implements `dns' source for glibc2
/lib/libnss_files.so.X implements `files' source for glibc2
/lib/libnss_hesiod.so.X implements `hesiod' source for glibc2
/lib/libnss_nis.so.X implements `nis' source for glibc2
/lib/libnss_nisplus.so.2 implements `nisplus' source for glibc 2.1
Within each process that uses nsswitch.conf, the entire file is read only
once; if the file is later changed, the process will continue using the old
configuration.
With Solaris, it isn't possible to link programs using the NSS Service
statically. With Linux, this is no problem.
This page is part of release 3.23 of the Linux man-pages project. A
description of the project, and information about reporting bugs, can be found
at http://www.kernel.org/doc/man-pages/.
Linux 1999-01-17 NSSWITCH.CONF(5)