man-pages/man5/nsswitch.conf.5

.\" Copyright (c) 1998, 1999 Thorsten Kukuk (kukuk@vt.uni-paderborn.de)
.\" Copyright (c) 2011, Mark R. Bannister <cambridge@users.sourceforge.net>
.\"
.\" This is free documentation; you can redistribute it and/or
.\" modify it under the terms of the GNU General Public License as
.\" published by the Free Software Foundation; either version 2 of
.\" the License, or (at your option) any later version.
.\"
.\" The GNU General Public License's references to "object code"
.\" and "executables" are to be interpreted as the output of any
.\" document formatting or typesetting system, including
.\" intermediate and printed output.
.\"
.\" This manual is distributed in the hope that it will be useful,
.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
.\" GNU General Public License for more details.
.\"
.\" You should have received a copy of the GNU General Public
.\" License along with this manual; if not, write to the Free
.\" Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111,
.\" USA.
.\"
.TH NSSWITCH.CONF 5 2011-10-13 "Linux" "Linux Programmer's Manual"
.SH NAME
nsswitch.conf \- Name Service Switch configuration file
.SH DESCRIPTION
The
.I /etc/nsswitch.conf
file is a configuration file used by the GNU C Library to determine from
what sources to obtain name service information in a range of categories,
and in what order.
Each category of information is identified by a database name.
.LP
The file is plain ASCII text, with columns separated by spaces or tab
characters.
The first column defines the database name.
The remaining columns describe the order of sources to query and a
limited
set of actions that can be performed by lookup result.
.LP
The following databases are made available by the standard
GNU C Library:
.RS 3
.TP 10
.B aliases
Mail aliases, used by
.BR getaliasent (3)
and related functions.
.TP
.B ethers
Ethernet numbers.
.TP
.B group
Groups of users, used by
.BR getgrent (3)
and related functions.
.TP
.B hosts
Host names and numbers, used by
.BR gethostbyname (3)
and related functions.
.TP
.B netgroup
Network wide list of hosts and users, used for access rules.
C libraries before glibc 2.1 only supported netgroups over NIS.
.TP
.B networks
Network names and numbers, used by
.BR getnetent (3)
and related functions.
.TP
.B passwd
User passwords, used by
.BR getpwent (3)
and related functions.
.TP
.B protocols
Network protocols, used by
.BR getprotoent (3)
and related functions.
.TP
.B publickey
Public and secret keys for Secure_RPC used by NFS and NIS+.
.TP
.B rpc
Remote procedure call names and numbers, used by
.BR getrpcbyname (3)
and related functions.
.TP
.B services
Network services, used by
.BR getservent (3)
and related functions.
.TP
.B shadow
Shadow user passwords, used by
.BR getspnam (3)
and related functions.
.RE
.LP
Here is an example
.I /etc/nsswitch.conf
file:
.LP
.RS 3
.PD 0
.TP 16
passwd:
compat
.TP
group:
compat
.TP
shadow:
compat
.sp 1n
.TP
hosts:
dns [!UNAVAIL=return] files
.TP
networks:
nis [NOTFOUND=return] files
.TP
ethers:
nis [NOTFOUND=return] files
.TP
protocols:
nis [NOTFOUND=return] files
.TP
rpc:
nis [NOTFOUND=return] files
.TP
services:
nis [NOTFOUND=return] files
.PD
.RE
.LP
The first column is the database name.
The remaining columns specify:
.RS 3
.TP 3
o
One or more service specifications e.g. "files", "db", or "nis".
The order the services appear on the line determine the order in which
those services will be queried, in turn, until a result is found.
.TP
o
Optional actions to perform if a particular result is obtained
from the preceding service, e.g. "[NOTFOUND=return]".
.RE
.LP
The service specifications supported on your system depend on the
presence of shared libraries, and are therefore extensible.
Libraries called
.IB /lib/libnss_SERVICE.so. X
will provide the named
.IR SERVICE .
On a standard installation, you can use
"files", "db", "nis", and "nisplus".
For the hosts database, you can additionally specify "dns".
For the passwd, group, and shadow databases, you can additionally specify
"compat" (see
.B "Compatibility mode"
below).
The version number
.B X
may be 1 for glibc 2.0, or 2 for glibc 2.1 and later.
On systems with additional libraries installed, you may have access to
further services such as "hesiod", "ldap", "winbind" and "wins".
.LP
An action may also be specified following a service specification, that
modifies behaviour following a result obtained from the preceding data
source.
Action items take the general form:
.LP
.RS 3
[
.I STATUS
=
.I ACTION
]
.br
[ !
.I STATUS
=
.I ACTION
]
.RE
.LP
where
.LP
.RS 3
.I STATUS
=>
.B success
|
.B notfound
|
.B unavail
|
.B tryagain
.br
.I ACTION
=>
.B return
|
.B continue
.RE
.LP
The ! negates the test, matching all possible results except the
one specified.
The case of the keywords is insignificant.
.LP
The
.I STATUS
value is matched against the result of the lookup function called by
the preceding service specification, and can be one of:
.RS 3
.TP 10
.B success
No error occurred and the requested entry is returned.
The default action for this condition is "return".
.TP
.B notfound
The lookup succeeded, but the requested entry was not found.
The default action for this condition is "continue".
.TP
.B unavail
The service is permanently unavailable.
This can either mean the
required file cannot be read, or, for network services, the server
is not available or does not allow queries.
The default action for this condition is "continue".
.TP
.B tryagain
The service is temporarily unavailable.
This could mean a file is
locked or a server currently cannot accept more connections.
The default action for this condition is "continue".
.RE
.LP
The
.I ACTION
value can be one of:
.RS 3
.TP 10
.B return
Return a result now.
Do not call any further lookup functions.
.TP
.B continue
Call the next lookup function.
.RE
.SS Compatibility mode (compat)
The NSS "compat" service is similar to "files" except that it
additionally permits special entries in
.I /etc/passwd
for granting users or members of netgroups access to the system.
The following entries are valid in this mode:
.RS 3
.TP 12
.BI + user
Include the specified
.I user
from the NIS passwd map.
.TP
.BI +@ netgroup
Include all users in the given
.IR netgroup .
.TP
.BI \- user
Exclude the specified
.I user
from the NIS passwd map.
.TP
.BI \-@ netgroup
Exclude all users in the given
.IR netgroup .
.TP
.B +
Include every user, except previously excluded ones, in the
NIS passwd map.
.RE
.LP
By default the source is "nis", but this may be
overridden by specifying "nisplus" as source for the pseudo-databases
.BR passwd_compat ,
.B group_compat
and
.BR shadow_compat .
.SH FILES
A service named
.I SERVICE
is implemented by a shared object library named
.IB libnss_SERVICE.so. X
that resides in
.IR /lib .
.RS 3
.TP 25
.PD 0
.I /etc/nsswitch.conf
NSS configuration file.
.TP
.IB /lib/libnss_compat.so. X
implements "compat" source.
.TP
.IB /lib/libnss_db.so. X
implements "db" source.
.TP
.IB /lib/libnss_dns.so. X
implements "dns" source.
.TP
.IB /lib/libnss_files.so. X
implements "files" source.
.TP
.IB /lib/libnss_hesiod.so. X
implements "hesiod" source.
.TP
.IB /lib/libnss_nis.so. X
implements "nis" source.
.TP
.IB /lib/libnss_nisplus.so. X
implements "nisplus" source.
.PD
.RE
.SH SEE ALSO
.BR getent (1),
.BR nss (5).
.SH NOTES
Within each process that uses
.BR nsswitch.conf ,
the entire file is read only once.
If the file is later changed, the
process will continue using the old configuration.
.LP
Traditionally there was only a single source for service information,
often in the form of a single configuration
file (e.g. \fI/etc/passwd\fP).
However, as other nameservices, like the Network Information
Service (NIS) and the Domain Name Service (DNS), became popular,
a method was needed
that would be more flexible than fixed search orders coded into
the C library.
.LP
The Linux libc5 with NYS support and the GNU C Library 2.x (libc.so.6)
introduced a cleaner solution to the problem, based on the
.B "Name Service Switch"
mechanism used by Sun Microsystems in the Solaris 2 C library.