1 .\" Copyright (c) 1998, 1999 Thorsten Kukuk (kukuk@vt.uni-paderborn.de)
2 .\" Copyright (c) 2011, Mark R. Bannister <cambridge@users.sourceforge.net>
4 .\" SPDX-License-Identifier: GPL-2.0-or-later
6 .TH nsswitch.conf 5 (date) "Linux man-pages (unreleased)"
8 nsswitch.conf \- Name Service Switch configuration file
10 The Name Service Switch (NSS) configuration file,
11 .IR /etc/nsswitch.conf ,
12 is used by the GNU C Library and certain other applications to determine
13 the sources from which to obtain name-service information in
14 a range of categories,
16 Each category of information is identified by a database name.
18 The file is plain ASCII text, with columns separated by spaces or tab
20 The first column specifies the database name.
21 The remaining columns describe the order of sources to query and a
22 limited set of actions that can be performed by lookup result.
24 The following databases are understood by the GNU C Library:
29 and related functions.
35 Groups of users, used by
37 and related functions.
40 Host names and numbers, used by
42 and related functions.
45 Supplementary group access list, used by
50 Network-wide list of hosts and users, used for access rules.
51 C libraries before glibc 2.1 supported netgroups only over NIS.
54 Network names and numbers, used by
56 and related functions.
59 User passwords, used by
61 and related functions.
64 Network protocols, used by
66 and related functions.
69 Public and secret keys for Secure_RPC used by NFS and NIS+.
72 Remote procedure call names and numbers, used by
74 and related functions.
77 Network services, used by
79 and related functions.
82 Shadow user passwords, used by
84 and related functions.
86 The GNU C Library ignores databases with unknown names.
87 Some applications use this to implement special handling for their own
94 Delegation of subordinate user/group IDs
95 can be configured using the
105 .I /etc/nsswitch.conf
114 hosts: dns [!UNAVAIL=return] files
115 networks: nis [NOTFOUND=return] files
116 ethers: nis [NOTFOUND=return] files
117 protocols: nis [NOTFOUND=return] files
118 rpc: nis [NOTFOUND=return] files
119 services: nis [NOTFOUND=return] files
123 The first column is the database name.
124 The remaining columns specify:
126 One or more service specifications, for example, "files", "db", or "nis".
127 The order of the services on the line determines the order in which
128 those services will be queried, in turn, until a result is found.
130 Optional actions to perform if a particular result is obtained
131 from the preceding service, for example, "[NOTFOUND=return]".
133 The service specifications supported on your system depend on the
134 presence of shared libraries, and are therefore extensible.
136 .IB /lib/libnss_SERVICE.so. X
137 will provide the named
139 On a standard installation, you can use
140 "files", "db", "nis", and "nisplus".
143 database, you can additionally specify "dns".
149 databases, you can additionally specify
151 .B "Compatibility mode"
155 may be 1 for glibc 2.0, or 2 for glibc 2.1 and later.
156 On systems with additional libraries installed, you may have access to
157 further services such as "hesiod", "ldap", "winbind", and "wins".
159 An action may also be specified following a service specification.
160 The action modifies the behavior following a result obtained
161 from the preceding data source.
162 Action items take the general form:
165 .RI [ STATUS = ACTION ]
167 .RI [! STATUS = ACTION ]
192 The ! negates the test, matching all possible results except the
194 The case of the keywords is not significant.
198 value is matched against the result of the lookup function called by
199 the preceding service specification, and can be one of:
203 No error occurred and the requested entry is returned.
204 The default action for this condition is "return".
207 The lookup succeeded, but the requested entry was not found.
208 The default action for this condition is "continue".
211 The service is permanently unavailable.
212 This can mean either that the
213 required file cannot be read, or, for network services, that the server
214 is not available or does not allow queries.
215 The default action for this condition is "continue".
218 The service is temporarily unavailable.
219 This could mean a file is
220 locked or a server currently cannot accept more connections.
221 The default action for this condition is "continue".
231 Do not call any further lookup functions.
232 However, for compatibility reasons, if this is the selected action for the
236 status, and the configuration file does not contain the
238 line, the next lookup function is always called,
239 without affecting the search result.
242 Call the next lookup function.
246 is used between two database entries.
247 When a group is located in the first of the two group entries,
248 processing will continue on to the next one.
249 If the group is also found in the next entry (and the group name and GID
250 are an exact match), the member list of the second entry will be added
251 to the group object to be returned.
252 Available since glibc 2.24.
253 Note that merging will not be done for
255 nor will duplicate members be pruned when they occur in both entries
258 .SS Compatibility mode (compat)
259 The NSS "compat" service is similar to "files" except that it
260 additionally permits special entries in corresponding files
261 for granting users or members of netgroups access to the system.
262 The following entries are valid in this mode:
273 Include the specified
275 from the NIS passwd/shadow map.
278 Include all users in the given
282 Exclude the specified
284 from the NIS passwd/shadow map.
287 Exclude all users in the given
291 Include every user, except previously excluded ones, from the
292 NIS passwd/shadow map.
301 Include the specified
303 from the NIS group map.
306 Exclude the specified
308 from the NIS group map.
311 Include every group, except previously excluded ones, from the
316 By default, the source is "nis", but this may be
317 overridden by specifying any NSS service except "compat" itself
318 as the source for the pseudo-databases
326 is implemented by a shared object library named
327 .IB libnss_SERVICE.so. X
333 .I /etc/nsswitch.conf
334 NSS configuration file.
336 .IB /lib/libnss_compat.so. X
337 implements "compat" source.
339 .IB /lib/libnss_db.so. X
340 implements "db" source.
342 .IB /lib/libnss_dns.so. X
343 implements "dns" source.
345 .IB /lib/libnss_files.so. X
346 implements "files" source.
348 .IB /lib/libnss_hesiod.so. X
349 implements "hesiod" source.
351 .IB /lib/libnss_nis.so. X
352 implements "nis" source.
354 .IB /lib/libnss_nisplus.so. X
355 implements "nisplus" source.
359 The following files are read when "files" source is specified
360 for respective databases:
405 Starting with glibc 2.33,
406 .\" https://sourceware.org/bugzilla/show_bug.cgi?id=12459
408 is automatically reloaded if the file is changed.
409 In earlier versions, the entire file was read only once within each process.
410 If the file was later changed,
411 the process would continue using the old configuration.
413 Traditionally, there was only a single source for service information,
414 often in the form of a single configuration
415 file (e.g., \fI/etc/passwd\fP).
416 However, as other name services, such as the Network Information
417 Service (NIS) and the Domain Name Service (DNS), became popular,
419 that would be more flexible than fixed search orders coded into
421 The Name Service Switch mechanism,
422 which was based on the mechanism used by
423 Sun Microsystems in the Solaris 2 C library,
424 introduced a cleaner solution to the problem.