Chapter 2 The Name Service Switch (Overview)

This chapter describes the name service switch. You use the name service switch to coordinate usage of different naming services.

About the Name Service Switch

The name service switch is a file which is named, nsswitch.conf. The name service switch controls how a client machine or application obtains network information. The name service switch is used by client applications that call any of the getXbyY() interfaces such as the following.

• gethostbyname()

• getpwuid()

• getpwnam()

• getaddrinfo()

Each machine has a switch file in its /etc directory. Each line of that file identifies a particular type of network information, such as host, password, and group, followed by one or more locations of that information.

A client can obtain naming information from one or more of the switch's sources. For example, an NIS+ client could obtain its hosts information from an NIS+ table and its password information from a local /etc file. In addition, the client could specify the conditions under which the switch must use each source. See Table 2–1.

The Solaris system automatically loads an nsswitch.conf file into every machine's /etc directory as part of the installation process. Four alternate (template) versions of the switch file are also loaded into /etc for LDAP, NIS, NIS+, or files. See The nsswitch.conf Template Files.

These four files are alternate default switch files. Each file is designed for a different primary naming service: /etc files, NIS, NIS+, or LDAP. When the Solaris software is first installed on a machine, the installer selects the machine's default naming service: NIS+, NIS, local files, or LDAP. During installation, the corresponding template file is copied to nsswitch.conf. For example, for a machine client using LDAP, the installation process copies nsswitch.ldap to nsswitch.conf. Unless you have an unusual namespace, the default template file as copied to nsswitch.conf should be sufficient for normal operation.

No default file is provided for DNS, but you can edit any of these files to use DNS. For more information see DNS and Internet Access.

If you later change a machine's primary naming service, you copy the appropriate alternate switch file to nsswitch.conf. See The nsswitch.conf Template Files. You can also change the sources of particular types of network information used by the client by editing the appropriate lines of the /etc/nsswitch.conf file. The syntax is described below, and additional instructions are provided in How to Modify the Name Service Switch.

Format of the nsswitch.conf File

The nsswitch.conf file is essentially a list of 16 types of information and the sources that getXXbyYY() routines search for that information. The 16 types of information, not necessarily in this order, are the following.

• aliases

• bootparams

• ethers

• group

• hosts

• ipnodes

• netgroup

• netmasks

• networks

• passwd, which includes shadow information

• protocols

• publickey

• rpc

• services

• automount

• sendmailvars

The following table provides a description of the kind of sources that can be listed in the switch file for the information types above.

Search Criteria

Single Source. If an information type has only one source, such as nisplus a routine using the switch searches for the information in that source only. If the routine finds the information, the routine returns a success status message. If the routine does not find the information, the routine stops searching and returns a different status message. What the routine does with the status message varies from routine to routine.

Multiple Sources. If a table contains multiple sources for a given information type, the switch directs the routine to search in the first listed source. If the routine finds the information, the routine returns a success status message. If the routine does not find the information in the first source, the routine tries the next source. The routine searches all sources until the routine has found the information, or until the routine is halted by a return specification. If all of the listed sources are searched without finding the information, the routine stops searching and returns a non-success status message.

Switch Status Messages

If a routine finds the information, the routine returns a success status message. If the routine does not find the information, the routine returns one of three error status messages. Possible status messages are listed in the following table.

Switch Action Options

You can instruct the switch to respond to status messages with either of the two actions shown in the following table.

Default Search Criteria

The combination of nsswitch.conf file status message and action option determines what the routine does at each step. The combination of status and action make up the search criteria.

The switch's default search criteria are the same for every source. As described in terms of the status messages listed above, see the following.

• SUCCESS=return. Stop looking for the information. Proceed using the information that has been found.

• UNAVAIL=continue. Go to the next nsswitch.conf file source and continue searching. If this source is the last or only source, return with a NOTFOUND status.

• NOTFOUND=continue. Go to the next nsswitch.conf file source and continue searching. If this source is the last or only source, return with a NOTFOUND status.

• TRYAGAIN=continue. Go to the next nsswitch.conf file source and continue searching. If this source is the last or only source, return with a NOTFOUND status.

You can change default search criteria by explicitly specifying some other criteria by using the STATUS=action syntax shown above. For example, the default action for a NOTFOUND condition is to continue the search to the next source. For example, to specify for networks, the search should stop in a NOTFOUND condition, edit the networks line of the switch file. The line would read as follows.

networks: nis [NOTFOUND=return] files

The networks: nis [NOTFOUND=return] files line specifies a nondefault criterion for the NOTFOUND status. Nondefault criteria are delimited by square brackets.

In this example, the search routine behaves as follows:

• If the networks map is available, and contains the needed information, the routine returns with a SUCCESS status message.

• If the networks map is not available, the routine returns with an UNAVAIL status message. By default, the routine continues to search the appropriate /etc file.

• If the networks map is available and found, but the map does not contain the needed information, the routine returns with a NOTFOUND message. But, instead of continuing on to search the appropriate /etc file, which would be the default behavior, the routine stops searching.

• If the networks map is busy, the routine returns with an TRYAGAIN status message and by default continues on to search the appropriate /etc file.

Lookups in the nsswitch.conf file are done in the order in which items are listed. However, password updates are done in reverse order, unless otherwise specified by using the passwd -r repository command. See The Switch File and Password Information for more information.

What if the Syntax is Wrong?

Client library routines contain compiled-in default entries that are used if an entry in the nsswitch.conf file is either missing or syntactically incorrect. These entries are the same as the switch file's defaults.

The name service switch assumes that the table and source names are spelled correctly. If you misspell a table or source name, the switch uses default values.

Auto_home and Auto_master

The switch search criteria for the auto_home and auto_master tables and maps is combined into one category, which is called automount.

Timezone and the Switch File

The timezone table does not use the switch, so the table is not included in the switch file's list.

Comments in nsswitch.conf Files

Any nsswitch.conf file line beginning with a comment character (#) is interpreted as a comment line. A comment line is ignored by routines that search the file.

Characters preceding a comment mark are interpreted by routines that search the nsswitch.conf file. Characters to the right of the comment mark are interpreted as comments and ignored.

Keyserver and publickey Entry in the Switch File

You must restart the keyserver after you make a change to nsswitch.conf.

The keyserver reads the publickey entry in the name service switch configuration file only when the keyserver is started. If you change the switch configuration file, the keyserver does not register the changes until the keyserver is restarted.

The nsswitch.conf Template Files

Four switch template files are provided with the Solaris system to accommodate different naming services. Each file provides a different default set of information sources.

The four template files are the following.

• LDAP template file. The nsswitch.ldap configuration file specifies the LDAP directory as the primary source of information for the machine.

  ---

  Note –

  In order to use LDAP naming services, you must also properly configure all LDAP client machines, in addition to modifying the nsswitch.conf. See Chapter 12, Setting Up LDAP Clients (Tasks) for more information.

  ---

• NIS+ template file. The nsswitch.nisplus configuration file specifies NIS+ as the primary source for all information except passwd, group, automount, and aliases. For those four files, the primary source is local /etc files. The secondary source is an NIS+ table. The [NOTFOUND=return] search criterion instructs the switch to stop searching the NIS+ tables if the switch gets a “No such entry” message. The switch searches through local files only if the NIS+ server is unavailable.

• NIS template file. The nsswitch.nis configuration file is almost identical to the NIS+ configuration file, except that NIS file specifies NIS maps in place of NIS+ tables. Because the search order for passwd and group is files nis, you don't need to place the + entry in the /etc/passwd and /etc/group files.

• Files template file. The nsswitch.files configuration file specifies local /etc files as the only source of information for the machine. There is no “files” source for netgroup, so the client does not use that entry in the switch file.

Copy the template file that most closely meets your requirements to the nsswitch.conf configuration file and then modify the file as needed.

For example, to use the LDAP template file, you would type the following command.

mymachine# cp /etc/nsswitch.ldap /etc/nsswitch.conf

The Default Switch Template Files

The following four switch files are supplied with the Solaris product.

Example 2–1 NIS+ Switch File Template: nsswitch.nisplus

#
#
# /etc/nsswitch.nisplus:
#
#
# An example file that could be copied over to /etc/nsswitch.conf;
# it uses NIS+ (NIS Version 3) in conjunction with files.
#
# "hosts:" and "services:" in this file are used only if the
# /etc/netconfig file has a "-" for nametoaddr_libs of "inet"
# transports.
 
# the following two lines obviate the "+" entry in /etc/passwd 
# and /etc/group.
passwd: files nisplus
group: files nisplus
# consult /etc "files" only if nisplus is down. 
hosts: nisplus [NOTFOUND=return] files
# Uncomment the following line, and comment out the above, to use 
# both DNS and NIS+. You must also set up the /etc/resolv.conf 
# file for DNS name server lookup. See resolv.conf(4).
# hosts: nisplus dns [NOTFOUND=return] files
services: nisplus [NOTFOUND=return] files
networks: nisplus [NOTFOUND=return] files
protocols: nisplus [NOTFOUND=return] files
rpc: nisplus [NOTFOUND=return] files
ethers: nisplus [NOTFOUND=return] files
netmasks: nisplus [NOTFOUND=return] files	
bootparams: nisplus [NOTFOUND=return] files
publickey: nisplus
netgroup: nisplus
automount: files nisplus
aliases: files nisplus
sendmailvars: files nisplus

For the publickey entry, the nisplus value must be first in the list of values. For example, publickey: nisplus files is the correct entry for an nsswitch.conf file that multiple NIS+ domains consult.

Example 2–2 NIS Switch File Template

#
# /etc/nsswitch.nis:
#
# An example file that could be copied over to /etc/nsswitch.conf;
# it uses NIS (YP) in conjunction with files.
#
# "hosts:" and "services:" in this file are used only if the
# /etc/netconfig file has a "-" for nametoaddr_libs of "inet"
# transports.
#
# the following two lines obviate the "+" entry in /etc/passwd
# and /etc/group.
passwd: files nis
group: files nis
# consult /etc "files" only if nis is down. 
hosts: nis [NOTFOUND=return] files
networks: nis [NOTFOUND=return] files
protocols: nis [NOTFOUND=return] files
rpc: nis [NOTFOUND=return] files
ethers: nis [NOTFOUND=return] files
netmasks: nis [NOTFOUND=return] files	
bootparams: nis [NOTFOUND=return] files
publickey: nis [NOTFOUND=return] files
netgroup: nis
automount: files nis
aliases: files nis
# for efficient getservbyname() avoid nis
services: files nis
sendmailvars: files

Example 2–3 Files Switch File Template

#
# /etc/nsswitch.files:
#
# An example file that could be copied over to /etc/nsswitch.conf;
# it does not use any naming service.
#
# "hosts:" and "services:" in this file are used only if the
# /etc/netconfig file has a "-" for nametoaddr_libs of "inet"
# transports.
passwd: files
group: files
hosts: files
networks: files
protocols: files
rpc: files
ethers: files
netmasks: files	
bootparams: files
publickey: files
# At present there isn't a 'files' back end for netgroup;
# the system will figure it out pretty quickly, and will notuse
# netgroups at all.
netgroup: files
automount: files
aliases: files
services: files
sendmailvars: files

Example 2–4 LDAP Switch File Template

#
# /etc/nsswitch.ldap:
#
# An example file that could be copied over to /etc/nsswitch.conf; it
# uses LDAP in conjunction with files.
#
# "hosts:" and "services:" in this file are used only if the
# /etc/netconfig file has a "-" for nametoaddr_libs of "inet" transports.

# the following two lines obviate the "+" entry in /etc/passwd 
and /etc/group.
passwd:     files ldap
group:      files ldap

hosts:      ldap [NOTFOUND=return] files

networks:   ldap [NOTFOUND=return] files
protocols:  ldap [NOTFOUND=return] files
rpc:        ldap [NOTFOUND=return] files
ethers:     ldap [NOTFOUND=return] files
netmasks:   ldap [NOTFOUND=return] files
bootparams: ldap [NOTFOUND=return] files
publickey:  ldap [NOTFOUND=return] files

netgroup:   ldap

automount:  files ldap
aliases:    files ldap

# for efficient getservbyname() avoid ldap
services:   files ldap
sendmailvars:   files

The nsswitch.conf File

The default nsswitch.conf file that is installed with the Solaris software is determined by which naming service you select during the installation process. Each line identifies a particular type of network information, such as host, password, and group, along with the information source, such as NIS+ tables, NIS maps, the DNS hosts table, or local /etc. When you chose a naming service, the switch template file for that service is copied to create the new nsswitch.conf file. For example, if you choose NIS+, the nsswitch.nisplus file is copied to create a new nsswitch.conf file.

An nsswitch.conf file is automatically loaded into every machine's /etc directory by the Solaris 9 release software, along with the following alternate (template) versions.

• /etc/nsswitch.nisplus

• /etc/nsswitch.nis

• /etc/nsswitch.files

• /etc/nsswitch.ldap

These alternate template files contain the default switch configurations used by the NIS+ and NIS services, local files, and LDAP. No default file is provided for DNS, but you can edit any of these files to use DNS. When the Solaris software is first installed on a machine, the installer selects the machine's default naming service. During installation, the corresponding template file is copied to /etc/nsswitch.conf. For example, for a machine client using NIS+, the installation process copies nsswitch.nisplus to nsswitch.conf.

If your network is connected to the Internet and users must access Internet hosts using DNS, you must enable DNS forwarding.

Unless you have an unusual namespace, the default template file as copied to nsswitch.conf should be sufficient for normal operation.

Selecting a Different Configuration File

When you change a machine's naming service, you need to modify that machine's switch file accordingly. For example, if you change a machine's naming service from NIS to NIS+, you need to install a switch file appropriate for NIS+. You change switch files by copying the appropriate template file to nsswitch.conf.

If you are installing NIS+ on a machine using the NIS+ installation scripts, the NIS+ template script is copied to nsswitch.conf for you. In this case, you do not have to configure the switch file unless you want to customize.

Before proceeding to change switch files, make sure the sources listed in the file are properly set up. In other words, if you are going to select the NIS+ version, the client must eventually have access to NIS+ service. If you select the local files version, those files must be properly set up on the client.

How to Modify the Name Service Switch

To change to a switch file, follow these steps.

In order to use LDAP naming services, you must also properly configure all LDAP client machines, in addition to modifying the nsswitch.conf. See Chapter 12, Setting Up LDAP Clients (Tasks) for more information.

1. Become superuser or assume an equivalent role.

   Roles contain authorizations and privileged commands. For more information about roles, see Chapter 9, Using Role-Based Access Control (Tasks), in System Administration Guide: Security Services.

2. Copy the appropriate alternate file for the machine's naming service over the nsswitch.conf file.

   NIS+ Version (done automatically for you by NIS+ scripts)

   client1# cd /etc client1# cp nsswitch.nisplus nsswitch.conf

   NIS Version

   client1# cd /etc client1# cp nsswitch.nis nsswitch.conf

   Local /etc Files Version

   client1# cd /etc client1# cp nsswitch.files nsswitch.conf

3. Reboot the machine.

   The nscd daemon caches switch information. See the nscd(1M) man page for information.

   Some library routines do not periodically check the nsswitch.conf file to see whether the file has been changed. You must reboot the machine to make sure that the daemon and those routines have the latest information in the file.

DNS and Internet Access

The nsswitch.conf file also controls DNS forwarding for clients as described in the following subsections. DNS forwarding grants Internet access to clients. For information on how to set DNS forwarding for NIS and NIS+, see System Administration Guide: Naming and Directory Services (NIS+).

IPv6 and Solaris Naming Services

NIS, NIS+ and LDAP support storing IPv6 data, as well as using IPv6 transports for protocol traffic. Beginning with BIND version 8.3.3, DNS on Solaris supports the use of IPv6 transports on the client side. As of BIND version 8.4.2, DNS provides a complete client-server solution over IPv6 networks on Solaris.

The nsswitch.conf file controls search criteria for IPv6 addresses. IPv6 increases the IP address size from 32 bits to 128 bits to support more levels of addressing hierarchy. A larger address size provides a greater number of addressable nodes. For more information about IPv6, its configuration and implementation, see System Administration Guide: IP Services.

Use the new ipnodes source for IPv6 addresses. The /etc/inet/ipnodes file stores both IPv4 and IPv6 addresses. The /etc/inet/ipnodes file uses the same format convention as the /etc/hosts file.

IPv6 aware naming services use the new ipnodes source for its search forwarding. For instance, if LDAP is aware of IPv6 addresses, specify the following.

ipnodes: ldap [NOTFOUND=return] files

Potential delay issues:

• ipnodes defaults to files. During the transition from IPv4 to IPv6, where all naming services are not aware of IPv6 addresses, accept the files default. Otherwise, unnecessary delays, such as boot timing delays, might result during the resolution of addresses.

• An application searches all ipnodes databases for IPv4 addresses before searching for IPv4 addresses in the hosts databases. Before specifying ipnodes, consider the inherent delay of searching both databases for IPv4 addresses.

Ensuring Compatibility With +/- Syntax

If +/- is used in /etc/passwd, /etc/shadow, and /etc/group files, you need to modify the nsswitch.conf file to insure compatibility.

• NIS+. To provide +/- semantics with NIS+, change the passwd and groups sources to compat. Then, add a passwd_compat: nisplus entry to the nsswitch.conf file after the passwd or group entry as shown below.

  passwd: compat passwd_compat: nisplus group: compat group_compat: nisplus

  The above specifies that client routines obtain their network information from /etc files and NIS+ tables as indicated by the +/- entries in the files.

• NIS. To provide the same syntax as in the Solaris 4.x release, change the passwd and groups sources to compat.

  passwd: compat group: compat

  Specifies the /etc files and NIS maps as indicated by the +/- entries in the files.

  ---

  Note –

  Users working on a client machine being served by an NIS+ server running in NIS compatibility mode cannot run ypcat on the netgroup table. Doing so gives you results as if the table were empty even if the table has entries.

  ---

The Switch File and Password Information

It is possible to include and access password information in multiple repositories, such as files and nisplus. You can use the nsswitch.conf file to establish the lookup order for that information.

files must be the first source in the nsswitch.conf file for passwd information.

In an NIS+ environment, the passwd line of the nsswitch.conf file should list the repositories in the following order.

passwd: files nisplus

In an NIS environment, the passwd line of the nsswitch.conf file should list the repositories in the following order.

passwd: files nis

Listing files first allows root to log in, under most circumstances, even when the system encounters some network or naming services issues.

Maintaining multiple repositories for the same user is not recommended. By maintaining centralized password management in a single repository for each user, you reduce the possibilities of confusion and error. If you choose to maintain multiple repositories per user, update password information by using the passwd -r command.

passwd -r repository

If no repository is specified with the -r option, passwd updates the repositories listed in nsswitch.conf in reverse order.