This chapter describes the name service switch, what it does, and how clients use it to obtain naming information from one or more sources. You use the name service switch to coordinate usage of different naming services.
The name service switch is a file named nsswitch.conf. It controls how a client workstation or application obtains network information. It is used by client applications that call any of the getXbyY() interfaces such as:
The name service switch is often referred to as simply the switch or the switch file. Each workstation has a switch file in its /etc directory. Each line of that file identifies a particular type of network information, such as host, password, and group, followed by one or more sources where the client is to look for that information.
A client can obtain naming information from one or more of the switch's sources. For example, an NIS+ client could obtain its hosts information from an NIS+ table and its password information from a local /etc file. In addition, it could specify the conditions under which the switch must use each source (see"Search Criteria").
The Solaris 2.6 release software automatically loads an nsswitch.conf file into every workstation's /etc directory as part of the installation process. Three alternate (template) versions of the switch file are also loaded into /etc:
/etc/nsswitch.files
/etc/nsswitch.nis
/etc/nsswitch.nisplus
These three files are alternate default switch files. Each one is designed for a different primary naming service: /etc files, NIS, or NIS+. When Solaris 2.6 release software is first installed on a workstation, the installer selects the workstation's default name service: NIS+, NIS, or local files. During installation, the corresponding template file is copied to nsswitch.conf. For example, for a workstation client using NIS+, the installation process copies nsswitch.nisplus to nsswitch.conf. Unless you have an unusual namespace, the default template file as copied to nsswitch.conf should be sufficient for normal operation.
No default file is provided for DNS, but you can edit any of these files to use DNS (see "DNS and Internet Access").
If you later change a workstation's primary name service, you simply copy the appropriate alternate switch file to nsswitch.conf. (See "The nsswitch.conf Template Files".) You can also change the sources of particular types of network information used by the client by editing the appropriate lines of the /etc/nsswitch.conf file. The syntax for doing this is described below, and additional instructions are provided in Solaris Naming Setup and Configuration Guide.
The nsswitch.conf file is essentially a list of 15 types of information and the sources that getXXbyYY() routines search for that information. The 15 types of information, not necessarily in this order, are:
aliases
bootparams
ethers
group
hosts
netgroup
netmasks
networks
passwd (includes shadow information)
protocols
publickey
rpc
services
automount
sendmailvars
Table 2-1 provides a description of the kind of sources that can be listed in the switch file for the information types above.
Table 2-1 Switch File Information Sources
Information Sources |
Description |
---|---|
files |
A file stored in the client's /etc directory. For example, /etc/passwd |
nisplus |
An NIS+ table. For example, the hosts table. |
nis |
A NIS map. For example, the hosts map. |
compat |
Compat can be used for password and group information to support old-style + or - syntax in /etc/passwd, /etc/shadow, and /etc/group files. |
dns |
Can be used to specify that host information be obtain from DNS. |
Single Source. If an information type has only one source, such as nisplus a routine using the switch searches for the information in that source only. If it finds the information, it returns a success status message. If it does not find the information, it stops searching and returns a different status message. What the routine does with the status message varies from routine to routine.
Multiple Sources. If a table has more than one source for a given information type, the switch directs the routine to start searching for the information in the first source that is listed. If it finds the information, it returns a success status message. If it does not find the information in the first source, it tries the next source. The routine will search through all of the sources until it has found the information it needs, or it is halted by encountering a return specification. If all of the listed sources are searched without find the information, the routine stops searching and returns a non-success status message.
If a routine finds the information, it returns a success status message; if it does not find the information it is looking for, it returns one of three unsuccessful status messages, depending on the reason for not finding the information. Possible status messages are listed in Table 2-2.
Table 2-2 Switch Search Status Messages
Status Message |
Meaning of Message |
---|---|
SUCCESS |
The requested entry was found in the specified source. |
UNAVAIL |
The source is not responding or is unavailable. That is, the NIS+ table, or NIS map, or /etc file could not be found or accessed. |
NOTFOUND |
The source responded with "No such entry." In other words, the table, map, or file was accessed but it did not contain the needed information. |
TRYAGAIN |
The source is busy; it might respond next time. In other words, the table, map, or file was found, but it could not respond to the query. |
You can instruct the switch to respond to status messages with either of these two actions shown in Table 2-3.
Table 2-3 Responses to Switch Status Messages
Action |
Meaning |
---|---|
return |
Stop looking for the information. |
continue |
Try the next source, if there is one. |
The combination of nsswitch.conf file status message and action option determine what the routine does at each step. This combination of status and action is called the search criteria.
The switch's default search criteria are the same for every source. Described in terms of the status messages listed above, they are:
SUCCESS=return. Stop looking for the information and proceed using the information that has been found.
UNAVAIL=continue. Go to the next nsswitch.conf file source and continue searching. If this is the last (or only) source, return with a NOTFOUND status.
NOTFOUND=continue. Go to the next nsswitch.conf file source and continue searching. If this is the last (or only) source, return with a NOTFOUND status.
TRYAGAIN=continue. Go to the next nsswitch.conf file source and continue searching. If this is the last (or only) source, return with a NOTFOUND status.
Because these are the default search criteria, they are assumed. That is, you do not have to explicitly specify them in the switch file. You can change these default search criteria by explicitly specifying some other criteria using the STATUS=action syntax show above. For example, the default action for a NOTFOUND condition is to continue the search to the next source. To specify that for a particular type of information, such as networks, the search is to halt on a NOTFOUND condition, you would edit the networks line of the switch file to read:
networks: nis [NOTFOUND=return] files |
The networks: nis [NOTFOUND=return] files line specifies a nondefault criterion for the NOTFOUND status. (Nondefault criteria are delimited by square brackets.)
In this example, the search routine behaves as follows:
If the networks map is available and contains the needed information, the routine returns with a SUCCESS status message.
If the networksmap is not available, the routine returns with an UNAVAIL status message and by default continues on to search the appropriate /etc file.
If the networks map is available and found, but it does not contain the needed information, the routine returns with a NOTFOUND message. But instead of continuing on to search the appropriate /etc file (the default behavior), the routine stops searching.
If the networks map is busy, the routine returns with an TRYAGAINstatus message and by default continues on to search the appropriate /etc file.
Client library routines contain compiled-in default entries that are used if an entry in the nsswitch.conf file is either missing or syntactically incorrect. These entries are the same as the switch file's defaults.
The name service switch assumes that the spelling of table and source names is correct. If you misspell a table or source name, the switch uses default values.
The switch search criteria for the auto_home and auto_master tables and maps is combined into one category called automount.
The timezone table does not use the switch, so it is not included in the switch file's list.
Any nsswitch.conf file line beginning with a hash character (#) is interpreted as a comment line and is ignored by routines that search the file.
When a hash character (#) is included in the middle of the line, characters to the left of the hash mark (before the hash mark) are interpreted by routines that search the nsswitch.conf file; characters to the right of the hash mark (after the hash mark) are interpreted as comments and not acted upon.
Table 2-4 Switch File Comment Examples
Type of Line |
Example |
---|---|
Comment line (not interpreted). |
# hosts: nisplus [NOTFOUND=return] files |
Fully interpreted line. |
hosts: nisplus [NOTFOUND=return] file |
Partially interpreted line (the files element not interpreted) |
hosts: nisplus [NOTFOUND=return] # files |
The keyserver reads the publickey entry in the name service switch configuration file only when the keyserver is started. As a result, if you change the switch configuration file, the keyserver does not become aware of changes to the publickey entry until it is restarted.
Three nsswitch.conf template files are provided with the Solaris 2.6 release. Each of them provides a different default set of primary and subsequent information sources.
The three template files are:
NIS+ template file. The nsswitch.nisplus configuration file specifies NIS+ as the primary source for all information except passwd, group, automount, and aliases. For those four files, the primary source is local /etc files and the secondary source is an NIS+ table. The [NOTFOUND=return] search criterion instructs the switch to stop searching the NIS+ tables if it receives a "No such entry" message from them. It searches through local files only if the NIS+ server is unavailable.
NIS template file. The nsswitch.nis configuration file is almost identical to the NIS+ configuration file, except that it specifies NIS maps in place of NIS+ tables. Because the search order for passwd and group is files nis, you don't need to place the + entry in the /etc/passwd and /etc/group files.
Files template fileThe nsswitch.files configuration file specifies local /etc files as the only source of information for the workstation. There is no "files" source for netgroup, so the client simply won't use that entry in the switch file.
Copy the template file that most closely meets your requirements to nsswitch.conf configuration file is nsswitch.conf and then modify nsswitch.conf as needed. (See the switch chapter of Solaris Naming Setup and Configuration Guide for a detailed description of this process.)
For example, to use the NIS+ template file, you would type the following command:
mymachine# cp nsswitch.nisplus nsswitch.conf |
Here are the three switch files supplied with Solaris 2.6 release:
# # /etc/nsswitch.nisplus: # # An example file that could be copied over to /etc/nsswitch.conf; # it uses NIS+ (NIS Version 3) in conjunction with files. # # "hosts:" and "services:" in this file are used only if the # /etc/netconfig file has a "-" for nametoaddr_libs of "inet" # transports. # the following two lines obviate the "+" entry in /etc/passwd # and /etc/group. passwd: files nisplus group: files nisplus # consult /etc "files" only if nisplus is down. hosts: nisplus [NOTFOUND=return] files # Uncomment the following line, and comment out the above, to use # both DNS and NIS+. You must also set up the /etc/resolv.conf # file for DNS name server lookup. See resolv.conf(4). # hosts: nisplus dns [NOTFOUND=return] files services: nisplus [NOTFOUND=return] files networks: nisplus [NOTFOUND=return] files protocols: nisplus [NOTFOUND=return] files rpc: nisplus [NOTFOUND=return] files ethers: nisplus [NOTFOUND=return] files netmasks: nisplus [NOTFOUND=return] files bootparams: nisplus [NOTFOUND=return] files publickey: nisplus netgroup: nisplus automount: files nisplus aliases: files nisplus sendmailvars: files nisplus |
# # /etc/nsswitch.nis: # # An example file that could be copied over to /etc/nsswitch.conf; # it uses NIS (YP) in conjunction with files. # # "hosts:" and "services:" in this file are used only if the # /etc/netconfig file has a "-" for nametoaddr_libs of "inet" # transports. # # the following two lines obviate the "+" entry in /etc/passwd # and /etc/group. passwd: files nis group: files nis # consult /etc "files" only if nis is down. hosts: nis [NOTFOUND=return] files networks: nis [NOTFOUND=return] files protocols: nis [NOTFOUND=return] files rpc: nis [NOTFOUND=return] files ethers: nis [NOTFOUND=return] files netmasks: nis [NOTFOUND=return] files bootparams: nis [NOTFOUND=return] files publickey: nis [NOTFOUND=return] files netgroup: nis automount: files nis aliases: files nis # for efficient getservbyname() avoid nis services: files nis sendmailvars: files |
# # /etc/nsswitch.files: # # An example file that could be copied over to /etc/nsswitch.conf; # it does not use any naming service. # # "hosts:" and "services:" in this file are used only if the # /etc/netconfig file has a "-" for nametoaddr_libs of "inet" # transports. passwd: files group: files hosts: files networks: files protocols: files rpc: files ethers: files netmasks: files bootparams: files publickey: files # At present there isn't a 'files' backend for netgroup; # the system will figure it out pretty quickly, and won't use # netgroups at all. netgroup: files automount: files aliases: files services: files sendmailvars: files |
The default nsswitch.conf file that is installed when you install the Solaris operating system for the first time is determined by which name serve you select during the Solaris software installation process. When you chose a name service, the switch template file for that service is copied to create the new nsswitch.conf file. For example, if you choose NIS+, the nsswitch.nisplus file is copied to create a new nsswitch.conf file
The nsswitch.conf file also controls DNS forwarding for clients as described in the following subsections. DNS forwarding grants Internet access to clients.
The NIS+ client must have a properly configured /etc/resolv.conf file (as described in "DNS Clients and the Resolver").
See the switch file chapter of Solaris Naming Setup and Configuration Guide for step-by-step instructions on enabling DNS forwarding for NIS+ and NIS clients.
NIS+ clients do not have implicit DNS forwarding capabilities like NIS clients do. Instead, they take advantage of the switch. To provide DNS forwarding capabilities to an NIS+ client, change its hosts entry to:
hosts: nisplus dns [NOTFOUND=return] files |
DNS forwarding is inherent in the NIS name service. The proper format for the hosts line in a NIS-primary switch file to enable DNS forwarding is:
hosts: nis [NOTFOUND=return] files |
If an NIS client is using the DNS forwarding capability of a NIS-compatible NIS+ server, its nsswitch.conf file should nothave hosts: nis dns files as the syntax for the hosts file. This is because DNS forwarding automatically forwards host requests to DNS and this syntax would cause the NIS+ server to forward unsuccessful requests to the DNS servers twice, which would reduce performance. To take best advantage of DNS forwarding, use the default syntax for the nsswitch.nis file.
You can add to your nsswitch.conf file compatibility with the +/- syntax sometimes used in /etc/passwd, /etc/shadow, and /etc/group files.
NIS+. To provide +/- semantics with NIS+, change the passwd and groups sources to compat and add a passwd_compat: nisplus entry to the nsswitch.conf file after the passwd or group entry as shown below:
passwd: compat passwd_compat: nisplus group: compat group_compat: nisplus |
This specifies that client routines obtain their network information from /etc files and NIS+ tables as indicated by the +/- entries in the files.
NIS. To provide the same syntax as in the Sun Operating System 4.x release, change the passwd and groups sources to compat.
passwd: compat group: compat |
This specifies that /etc files and NIS maps as indicated by the +/- entries in the files.
Users working on a client machine being served by an NIS+ server running in NIS compatibility mode cannot run ypcat on the netgroup table. Doing so will give you results as if the table were empty even if it has entries.
See the switch file chapter of Solaris Naming Setup and Configuration Guide for step by step instructions on adding +/- semantics to an nsswitch.conf file.
For passwd information, files should always be the first source searched.
For example, in an NIS+ environment, the passwd line of the nsswitch.conf file should look like this:
passwd: files nisplus |
In a NIS environment, the passwd line of the nsswitch.conf file should look like this:
passwd: files nis |
files should be the first source in the nsswitch.conf file for passwd information. If files is not the first source, network security could be weakened and users could encounter log in difficulty.
See Part V, for more about the Federated Naming Service.
FNS, the Solaris implementation of the XFN API, can also be used to specify which name service a client is to query for naming information. The XFN API is more general in both the X and Y dimensions than the update getXbyY() interfaces that use the switch file. For example, it can be used to lookup information on both hosts and users, from both NIS+ and NIS. An application can be a client of either getXbyY(), or XFN, or both.
In order to ensure that changes made to namespace data through FNS are always available to clients obtaining namespace information through the switch file, always configure both the switch and FNS to use the same name service.
The support for data updates provided by the XFN API is superior to that of the getXbyY() interfaces. Most namespaces are composed of data from multiple sources. A groups namespace, for example, might contain information from both the /etc/group file and the NIS+ group.org_dir object. But the switch file does not provide enough information for an application update routine to identify the source of some particular piece of group data or the source to update.
Because each FNS subordinate namespace comes entirely from a single name service, updates are simple and straightforward because there is no confusion over which name service the update applies to.