1 The GNU C library contains an NSS module for the Hesiod name service.
2 Hesiod is a general name service for a variety of applications and is
3 based on the Berkeley Internet Name Daemon (BIND).
8 The Hesiod NSS module implements access to all relevant standard
9 Hesiod types, which means that Hesiod can be used for the `group',
10 `passwd' and `services' databases. There is however a restriction.
11 In the same way that it is impossible to use `gethostent()' to iterate
12 over all the data provided by DNS, it is not possible to scan the
13 entire Hesiod database by means of `getgrent()', `getpwent()' and
14 `getservent()'. Besides, Hesiod only provides support for looking up
15 services by name and not for looking them up by port. In essence this
16 means that the Hesiod name service is only consulted as a result of
17 one of the following function calls:
19 * getgrname(), getgrgid()
20 * getpwname(), getpwuid()
23 and their reentrant counterparts.
26 Configuring your systems
27 ========================
29 Configuring your systems to make use the Hesiod name service requires
30 one or more of the following steps, depending on whether you are
31 already running Hesiod in your network.
36 First you should modify the file `/etc/nsswitch.conf' to tell
37 NSS for which database you want to use the Hesiod name service. If
38 you want to use Hesiod for all databases it can handle your
39 configuration file could look like this:
43 # Example configuration of GNU Name Service Switch functionality.
46 passwd: db files hesiod
47 group: db files hesiod
54 services: db files hesiod
58 For more information on NSS, please refer to the `The GNU C Library
65 Next, you will have to configure Hesiod. If you are already running
66 Hesiod in your network, you probably already have a file named
67 `hesiod.conf' on your machines (probably as `/etc/hesiod.conf' or
68 `/usr/local/etc/hesiod.conf'). The Hesiod NSS module looks for
69 `/etc/hesiod.conf' by default. If there is no configuration file you
70 will want to create your own. It should look something like:
76 The optional classes settings specifies which DNS classes Hesiod
77 should do lookups in. Possible values are IN (the preferred class)
78 and HS (the deprecated class, still used by some sites).
79 You may specify both classes separated by a comma to try one class
80 first and then the other if no entry is available in the first
81 class. The default value of the classes variable is `IN,HS'.
83 The value of rhs can be overridden by the environment variable
86 Configuring your name servers
87 -----------------------------
89 In addition, if you are not already running Hesiod in your network,
90 you need to create Hesiod information on your central name servers.
91 You need to run `named' from BIND 4.9 or higher on these servers, and
92 make them authoritative for the domain `ns.your.domain' with a line in
93 `/etc/named.boot' reading something like:
95 primary ns.your.domain named.hesiod
97 or if you are using the new BIND 8.1 or higher add something to
98 `/etc/named.conf' like:
100 zone "ns.your.domain" {
105 Then in the BIND working directory (usually `/var/named') create the
106 file `named.hesiod' containing data that looks something like:
108 ; SOA and NS records.
109 @ IN SOA server1.your.domain admin-address.your.domain (
110 40000 ; serial - database version number
111 1800 ; refresh - sec servers
112 300 ; retry - for refresh
113 3600000 ; expire - unrefreshed data
115 NS server1.your.domain
116 NS server2.your.domain
118 ; Actual Hesiod data.
119 libc.group TXT "libc:*:123:gnu,gnat"
120 123.gid CNAME libc.group
121 gnu.passwd TXT "gnu:*:4567:123:GNU:/home/gnu:/bin/bash"
122 456.uid CNAME mark.passwd
123 nss.service TXT "nss tcp 789 switch sw "
124 nss.service TXT "nss udp 789 switch sw"
126 where `libc' is an example of a group, `gnu' an example of an user,
127 and `nss' an example of a service. Note that the format used to
128 describe services differs from the format used in `/etc/services'.
129 For more information on `named' refer to the `Name Server Operations
130 Guide for BIND' that is included in the BIND distribution.
136 Note that the information stored in the Hesiod database in principle
137 is publicly available. Care should be taken with including vulnerable
138 information like encrypted passwords in the Hesiod database. There
139 are some ways to improve security by using features provided by
140 `named' (see the discussion about `secure zones' in the BIND
141 documentation), but one should keep in mind that Hesiod was never
142 intended to distribute passwords. In the original design
143 authenticating users was the job of the Kerberos service.
149 For more information on the Hesiod name service take a look at some of
150 the papers in ftp://athena-dist.mit.edu:/pub/ATHENA/usenix and the
151 documentation that accompanies the source code for the Hesiod name
152 service library in ftp://athena-dist.mit.edu:/pub/ATHENA/hesiod.
154 There is a mailing list at MIT for Hesiod users, hesiod@mit.edu. To
155 get yourself on or off the list, send mail to hesiod-request@mit.edu.