NAME
nsswitch.conf —
name-service switch
configuration file
DESCRIPTION
The
nsswitch.conf file specifies how the
nsdispatch(3) (name-service
switch dispatcher) routines in the C library should operate.
The configuration file controls how a process looks up various databases
containing information regarding hosts, users (passwords), groups, netgroups,
etc. Each database comes from a source (such as local files, DNS, and NIS),
and the order to look up the sources is specified in
nsswitch.conf.
Each entry in
nsswitch.conf consists of a database name, and a
space separated list of sources. Each source can have an optional trailing
criterion that determines whether the next listed source is used, or the
search terminates at the current source. Each criterion consists of one or
more status codes, and actions to take if that status code occurs.
Sources
The following sources are implemented:
Source |
Description |
files |
Local files, such as
/etc/hosts, and /etc/passwd. |
dns |
Internet Domain Name
System. “hosts” and “networks” use
IN class entries, all other databases use
HS class (Hesiod) entries. |
mdnsd |
Use
mdnsd(8) for
“hosts” lookups, acting as both a system-wide cache for normal
unicast DNS as well as providing multicast DNS (“zeroconf”)
lookups. |
multicast_dns |
Use
mdnsd(8) only for multicast
DNS “hosts” lookups. This would normally be used in
conjunction with “dns”, which would then provide unicast DNS
resolver functions. |
nis |
NIS (formerly YP) |
compat |
support ‘+/-’
in the “passwd” and “group” databases. If this is
present, it must be the only source for that entry. |
Databases
The following databases are used by the following C library functions:
Status codes
The following status codes are available:
Status |
Description |
success |
The requested entry was
found. |
notfound |
The entry is not present
at this source. |
tryagain |
The source is busy, and
may respond to retries. |
unavail |
The source is not
responding, or entry is corrupt. |
Actions
For each of the status codes, one of two actions is possible:
Action |
Description |
continue |
Try the next source |
return |
Return with the current
result |
A BNF description of the syntax of
nsswitch.conf is:
<entry> |
::= <database> ":" [<source>
[<criteria>]]* |
<criteria> |
::= "[" <criterion>+
"]" |
<criterion> |
::= <status> "=" <action> |
<status> |
::= "success" | "notfound" |
"unavail" | "tryagain" |
<action> |
::= "return" | "continue" |
Each entry starts on a new line in the file. A ‘#’ delimits a
comment to end of line. Blank lines are ignored. A ‘\’ at the end
of a line escapes the newline, and causes the next line to be a continuation
of the current line. All entries are case-insensitive.
The default criteria is to return on “success”, and continue on
anything else (i.e,
[success=return notfound=continue
unavail=continue tryagain=continue]
).
Compat mode: +/- syntax
In historical multi-source implementations, the ‘+’ and
‘-’ characters are used to specify the importing of user password
and group information from NIS. Although
nsswitch.conf
provides alternative methods of accessing distributed sources such as NIS,
specifying a sole source of “compat” will provide the historical
behaviour.
An alternative source for the information accessed via ‘+/-’ can be
used by specifying “passwd_compat: source”. “source”
in this case can be ‘dns’, ‘nis’, or any other source
except for ‘files’ and ‘compat’.
Notes
Historically, many of the databases had enumeration functions, often of the form
getXXXent(). These made sense when the databases were in
local files, but don't make sense or have lesser relevance when there are
possibly multiple sources, each of an unknown size. The interfaces are still
provided for compatibility, but the source may not be able to provide complete
entries, or duplicate entries may be retrieved if multiple sources that
contain similar information are specified.
To ensure compatibility with previous and current implementations, the
“compat” source must appear alone for a given database.
Default source lists
If, for any reason,
nsswitch.conf doesn't exist, or it has
missing or corrupt entries,
nsdispatch(3) will default
to an entry of “files” for the requested database. Exceptions are:
Database |
Default source list |
group |
compat |
group_compat |
nis |
hosts |
files dns |
netgroup |
files [notfound=return] nis |
passwd |
compat |
passwd_compat |
nis |
FILES
- /etc/nsswitch.conf
- The file nsswitch.conf resides in
/etc.
EXAMPLES
To lookup hosts in
/etc/hosts and then from the DNS, and
lookup user information from NIS then files, use:
hosts: |
files dns |
passwd: |
nis [notfound=return] files |
group: |
nis [notfound=return] files |
The criteria “[notfound=return]” sets a policy of "if the user
is notfound in nis, don't try files." This treats nis as the
authoritative source of information, except when the server is down.
SEE ALSO
getent(1),
nsdispatch(3),
resolv.conf(5),
named(8),
ypbind(8)
HISTORY
The
nsswitch.conf file format first appeared in
NetBSD 1.4.
AUTHORS
Luke Mewburn ⟨lukem@NetBSD.org⟩ wrote this
freely distributable name-service switch implementation, using ideas from the
ULTRIX
svc.conf(5) and Solaris
nsswitch.conf(4) manual
pages.