Man Pages (4): File Formats

nsswitch.conf(4)

NAME

nsswitch.conf- Configuration file for the name service switch

SYNOPSIS

/etc/nsswitch.conf

DESCRIPTION

The operating environment uses a number of "databases" of information about hosts, users (passwd/shadow), groups and so forth. Data for these can come from a variety of sources: host-names and host-addresses, for example, may be found in /etc/hosts, NIS+, or DNS. Zero or more sources may be used for each database; the sources and their lookup order are specified in the /etc/nsswitch.conf file.

The following databases use the switch file:

Database

Used by

aliases

automount

bootparams

ethers

group

hosts

(See "Interaction with netconfig" below.)

netgroup

innetgr(3N)

netmasks

ifconfig(1M)

networks

getnetbyname(3N)

passwd

getpwnam(3C), getspnam(3C)

protocols

getprotobyname(3N)

publickey

getpublickey(3N) secure_rpc(3N)

rpc

getrpcbyname(3N)

sendmailvars

sendmail(1M)

services

getservbyname(3N)

(See "Interaction with netconfig"below.)

tsolprof

tsoluser

tnrhdb

tnrhtp

tsolprof

tsoluser

tnrhdb

tnrhtp

The following sources may be used:

Source

Uses

files

/etc/hosts, /etc/passwd, /etc/shadow and so forth

nisplus

NIS+

dns

Valid only for hosts; uses the Internet Domain Name Service.

compat

Valid only for passwd and group; implements + and -.

(See "Interaction with +/- syntax"below.) The compat source may not be supported in future releases.

There is an entry in /etc/nsswitch.conf for each database. Typically these entries will be simple, such as "protocols: files" or "networks: files nisplus". However, when multiple sources are specified, it is sometimes necessary to define precisely the circumstances under which each source will be tried. A source can return one of the following codes:

Status: Meaning
SUCCESS: Requested database entry was found.
UNAVAIL: Source is not responding or is corrupted.
NOTFOUND: Source responded "no such entry".
TRYAGAIN: Source is busy, might respond to retries.

For each status code, two actions are possible:

Action: Meaning
continue: Try the next source in the list.
return: Return now.

The complete syntax of an entry is

<entry>     ::= <database> ":" [<source>
[<criteria>]]*
<criteria>  ::= "[" <criterion>+ "]"
<criterion> ::= <status> "=" <action>
<status>    ::= "success" | "notfound" | "unavail" | "tryagain"
<action>    ::= "return"  | "continue"

Each entry occupies a single line in the file. Lines that are blank, or that start with white space, are ignored. Everything on a line following a # character is also ignored; the # character can begin anywhere in a line, to be used to begin comments. The <database> and <source> names are case-sensitive, but <action> and <status> names are case-insensitive.

The library functions contain compiled-in default entries that are used if the appropriate entry in nsswitch.conf is absent or syntactically incorrect.

The default criteria are to continue on anything except SUCCESS; in other words, [SUCCESS=return NOTFOUND=continue UNAVAIL=continue TRYAGAIN=continue].

The default, or explicitly specified, criteria are meaningless following the last source in an entry; and they are ignored, since the action is always to return to the caller irrespective of the status code the source returns.

Interaction with netconfig

In order to ensure that they all return consistent results, gethostbyname(3N), getservbyname(3N), and netdir_getbyname(3N) functions are all implemented in terms of the same internal library function. This function obtains the system-wide source lookup policy for hosts and services based on the inet family entries in netconfig(4) and uses the switch entries only if the netconfig entries have a "-" in the last column for nametoaddr libraries. See the NOTES section in gethostbyname(3N) and getservbyname(3N) for details.

Interaction with Password Aging

When password aging is turned on, only a limited set of possible name services are permitted for the passwd: database in the /etc/nsswitch.conf file:

passwd:: files
passwd:: files nisplus
passwd:: compat
passwd_compat:: nisplus

Any other settings will cause the passwd(1) command to fail when it attempts to change the password after expiration and will prevent the user from logging in. These are the only permitted settings when password aging has been turned on. Otherwise, you can work around incorrect passwd: lines by using the -r repository argument to the passwd(1) command and using passwd -r repository to override the nsswitch.conf settings and specify in which name service you want to modify your password.

Interaction with +/- syntax

Releases prior to SunOS 5.0 did not have the name service switch but did allow the user some policy control. In /etc/passwd one could have entries of the form +user (include the specified user from NIS passwd.byname), -user (exclude the specified user) and + (include everything, except excluded users, from NIS passwd.byname). The desired behavior was often "everything in the file followed by everything in NIS", expressed by a solitary + at the end of /etc/passwd. The switch provides an alternative for this case ("passwd: files nis") that does not require + entries in /etc/passwd and /etc/shadow (the latter is a new addition to SunOS 5.0, see shadow(4)).

If this is not sufficient, the NIS/YP compatibility source provides full +/- semantics. It reads /etc/passwd for getpwnam(3C) functions and /etc/shadow for getspnam(3C) functions and, if it finds +/- entries, invokes an appropriate source. By default, the source is "nis", but this may be overridden by specifying "nisplus" as the source for the pseudo-database passwd_compat.

Note that for every /etc/passwd entry, there should be a corresponding entry in the /etc/shadow file.

Useful Configurations

The compiled-in default entries for all databases use NIS (YP) as the enterprise level name service and are identical to those in the default configuration of this file:

passwd:: files nis
group:: files nis
hosts:: nis [NOTFOUND=return] files
networks:: nis [NOTFOUND=return] files
protocols:: nis [NOTFOUND=return] files
rpc:: nis [NOTFOUND=return] files
ethers:: nis [NOTFOUND=return] files
netmasks:: nis [NOTFOUND=return] files
bootparams:: nis [NOTFOUND=return] files
publickey:: nis [NOTFOUND=return] files
netgroup:: nis
automount:: files nis
aliases:: files nis
services:: files nis
sendmailvars:: files

The policy "nis [NOTFOUND=return] files" implies "if nis is UNAVAIL, continue on to files, and if nis returns NOTFOUND, return to the caller; in other words, treat nis as the authoritative source of information and try files only if nis is down. This, and other policies listed in the default configuration above, are identical to the hard-wired policies in SunOS releases prior to 5.0.

If compatibility with the +/- syntax for passwd and group is required, simply modify the entries for passwd and group to:

passwd:: compat
group:: compat

If NIS+ is the enterprise level name service, the default configuration should be modified to use nisplus instead of nis for every database on client machines. The file /etc/nsswitch.nisplus contains a sample configuration that can be copied to /etc/nsswitch.conf to set this policy.

If the use of +/- syntax is desired in conjunction with nisplus, use the following four entries:

passwd:: compat
passwd_compat:: nisplus
group:: compat
group_compat:: nisplus

In order to get information from the Internet Domain Name Service for hosts that are not listed in the enterprise level name service, NIS+, use the following configuration and set up the /etc/resolv.conf file (see resolv.conf(4) for more details):

hosts:: nisplus dns [NOTFOUND=return] files

Enumeration -- getXXXent()

Many of the databases have enumeration functions: passwd has getpwent(), hosts has gethostent(), and so on. These were reasonable when the only source was files but often make little sense for hierarchically structured sources that contain large numbers of entries, much less for multiple sources. The interfaces are still provided and the implementations strive to provide reasonable results, but the data returned may be incomplete (enumeration for hosts is simply not supported by the dns source), inconsistent (if multiple sources are used), formatted in an unexpected fashion (for a host with a canonical name and three aliases, the nisplus source will return four hostents, and they may not be consecutive), or very expensive (enumerating a passwd database of 5,000 users is probably a bad idea). Furthermore, multiple threads in the same process using the same reentrant enumeration function (getXXXent_r() are supported beginning with SunOS 5.3) share the same enumeration position; if they interleave calls, they will enumerate disjoint subsets of the same database.

In general, the use of the enumeration functions is deprecated. In the case of passwd, shadow, and group, it may sometimes be appropriate to use fgetgrent(), fgetpwent(), and fgetspent() (see getgrnam(3C), getpwnam(3C), and getspnam(3C), respectively), which use only the files source.

FILES

A source named SSS is implemented by a shared object named nss_SSS.so.1 that resides in /usr/lib.

/etc/nsswitch.conf: Name service configuration file.
/usr/lib/nss_compat.so.1: Implements "compat" source.
/usr/lib/nss_dns.so.1: Implements "dns" source.
/usr/lib/nss_files.so.1: Implements "files" source.
/usr/lib/nss_nis.so.1: Implements "nis" source.
/usr/lib/nss_nisplus.so.1: Implements "nisplus" source.
/etc/netconfig: Configuration file for netdir(3N) functions that redirects hosts/devices policy to the switch.
/etc/nsswitch.files: Sample configuration file that uses "files" only.
/etc/nsswitch.nis: Sample configuration file that uses "files" and "nis".
/etc/nsswitch.nisplus: Sample configuration file that uses "files" and "nisplus".

SUMMARY OF TRUSTED SOLARIS CHANGES

The following Trusted Solaris files have been added: tsolprof, tsoluser, tnrhdb, and tnrhtp.

In the default Trusted Solaris environment, an administrative role uses the Name Service Switch action in the System_Admin folder in the Application Manager to edit the nsswitch.conf file. This file should not be edited directly.

The Trusted Solaris environment does not support NIS (YP) or compatibility packages.

Trusted Solaris 7 Reference Manual

automount(1M), ifconfig(1M), rpc.bootparamd(1M), rpc.nisd(1M), sendmail(1M), resolv.conf(4)

SunOS 5.7 Reference Manual

nis+(1), passwd(1), ethers(3N), getgrnam(3C), gethostbyname(3N), getnetbyname(3N), getnetgrent(3N), getprotobyname(3N), getpublickey(3N), getpwnam(3C), getrpcbyname(3N), getservbyname(3N), getspnam(3C), netdir(3N), secure_rpc(3N), netconfig(4)

NOTES

Within each process that uses nsswitch.conf, the entire file is read only once; if the file is later changed, the process will continue using the old configuration.

Programs that use the getXXbyYY() functions cannot be linked statically since the implementation of these functions requires dynamic linker functionality to access the shared objects /usr/lib/nss_SSS.so.1 at run-time.

The compat source may not be supported in future releases.

Misspelled names of sources and databases will be treated as legitimate names of (most likely nonexistent) sources and databases.

The following functions do not use the switch: fgetgrent(3C), fgetpwent(3C), fgetspent(3C), getpw(3C), putpwent(3C), shadow(4).

Trusted Solaris 7 Last Revised 1 Nov 1999