nsswitch.conf(5) 맨 페이지 - 윈디하나의 솔라나라


맨 페이지 이름


nsswitch.conf(5)                 File Formats                 nsswitch.conf(5)

       nsswitch.conf - configuration file for the name service switch



       The  operating  system  uses a number of databases of information about
       hosts, services, users (passwd(5), shadow(5),  and  user_attr(5)),  and
       groups.  Data  for  these can come from a variety of sources: hostnames
       and host addresses, for example, can be found in /etc/hosts, NIS, LDAP,
       DNS,  or Multicast DNS. Zero or more sources can be used for each data‐
       base; the sources and their lookup order are specified in the SMF prop‐
       erties of the svc:/system/name-service/switch service. For the purposes
       of backward compatibility, the /etc/nsswitch.conf file  is  regenerated
       from  the configuration in the svc:/system/name-service/switch service.
       The /etc/nsswitch.conf file is considered obsolete.

       The following databases use the switch configuration:

       tab(); lw(1.03i)  lw(1.03i)  lw(3.44i)  lw(1.03i)  lw(1.03i)  lw(3.44i)
       DatabasePropertyUsed By _ aliasesaliassendmail(8) auth_attrauth_attrge‐
       tauthnam(3C)    automountautomountautomount(8)     bootparamsbootparam‐
       rpc.bootparamd(8)  ethersetherethers(3C)  groupgroupgetgrnam(3C)  host‐
       shostT{ getaddrinfo(3C), getnameinfo(3C), gethostent(3C). See  Interac‐
       tion  with  netconfig.  T} netgroupnetgroupinnetgr(3C) netmasksnetmask‐
       ipadm(8) networksnetworkgetnetbyname(3C) passwdpasswordT{ getpwnam(3C),
       getspnam(3C),   getusernam(3C)   T}   prof_attrprof_attrgetprofnam(3C),
       getexecprof(3C)  projectprojectT{   getprojent(3PROJECT),   getdefault‐
       proj(3PROJECT),  inproj(3PROJECT),  newtask(1), setproject(3PROJECT) T}
       protocolsprotocolgetprotobyname(3C) publickeypublickeygetpublickey(3C),
       secure_rpc(3C)   rpcrpcgetrpcbyname(3C)   servicesserviceT{  getservby‐
       name(3C).  See Interaction with  netconfig.   T}  sudoerssudoerssudo(8)
       tnrhtptnrhtptnctl(8) tnrhdbtnrhdbtnctl(8)

       In  the  above  table,  the  Database column shows the form used in the
       /etc/nsswitch.conf file, while the Property column shows the form  used
       in the SMF configuration properties. The ipnodes database used for map‐
       ping hostnames to IPv6 addresses in prior releases  of  Solaris  is  no
       longer  used. Instead the hosts database is used for both IPv4 and IPv6
       addresses. Lookups of user_attr entries currently use the sources spec‐
       ified for the password database.

       The following sources can be used:

       tab();  lw(0.92i)  lw(4.58i)  lw(0.92i)  lw(4.58i) SourceUses _ filesT{
       /etc/hosts,    /etc/passwd,    /etc/shadow,    /etc/security/auth_attr,
       /etc/user_attr  T}  nisNIS  (YP). See nis(7) and ypfiles(5).  ldapLDAP.
       See ldap(7).  adActive Directory. See  ad(7).   dnsT{  Valid  only  for
       hosts. Uses the Internet Domain Name Service.  T} mdnsT{ Valid only for
       hosts. Uses the Multicast Domain Name Service.  T}

       The config property group of the  svc:/system/name-service/switch  ser‐
       vice contains the configuration for the nsswitch.conf file.

       The  config/default property sets the default property for all nsswitch
       databases, while the other properties  can  be  used  to  override  the
       default property if desired.

       For  instance,  if config/default is set to "files", and config/host is
       set to "files dns", then all nsswitch databases default to local  files
       database  access,  except for the host database which will search files
       first and DNS second.

       The following single-valued properties are supported:

       tab(); lw(1.38i) lw(4.13i) lw(1.38i)  lw(4.13i)  PropertyUsage  _  con‐
       fig/defaultDefault  db  configuration  config/hostOverride  for host db
       config/passwordOverride for password db config/groupOverride for  group
       db  config/networkOverride  for  network db config/protocolOverride for
       protocol db config/rpcOverride  for  rpc  db  config/etherOverride  for
       ether db config/netmaskOverride for netmask db config/bootparamOverride
       for bootparam db config/publickeyOverride for publickey db  config/net‐
       groupOverride for netgroup db config/automountOverride for automount db
       config/aliasOverride for alias db config/serviceOverride for service db
       config/projectOverride  for  project  db  config/auth_attrOverride  for
       auth_attr db config/prof_attrOverride  for  prof_attr  db  config/sudo‐
       erOverride  for  sudoers  db  config/tnrhtpOverride  for tnrhtp db con‐
       fig/tnrhdbOverride for tnrhdb db

       Typically the property values are simple  lists  of  sources,  such  as
       "files"  or  "files nis". However, when multiple sources are specified,
       it is sometimes necessary to define precisely the  circumstances  under
       which  each  source  is tried. A source can return one of the following
       status codes:

       tab(); lw(1.38i) lw(4.13i) lw(1.38i) lw(4.13i) StatusMeaning _ SUCCESS‐
       Requested database entry was found.  UNAVAILT{ Source is not configured
       on this system or internal failure.  T}  NOTFOUNDSource  responded  "no
       such  entry" TRYAGAINT{ Source is busy or not responding, might respond
       to retries.  T}

       For each status code, the following actions are possible:

       tab(); lw(1.38i) lw(4.13i) lw(1.38i) lw(4.13i) ActionMeaning _  contin‐
       ueTry the next source in the list.  returnReturn now.

       Additionally, for TRYAGAIN only, the following actions are possible:

       tab(); lw(1.38i) lw(4.13i) lw(1.38i) lw(4.13i) ActionMeaning _ forever‐
       Retry the current source forever.  nT{ Retry the current source n  more
       times,  where n is an integer between 0 and MAX_INT (that is, 2.14 bil‐
       lion). After n retries has been exhausted, the TRYAGAIN action  transi‐
       tions to continue, until a future request receives a response, at which
       time TRYAGAIN=n is restored.  T}

       The complete syntax of an entry is:

         <entry>     ::= <database> ":" [<source> [<criteria>]]*
         <criteria>  ::= "[" <criterion>+ "]"
         <criterion> ::= <status> "=" <action>
         <status>    ::= "success" | "notfound" | "unavail" | "tryagain"

       For every status except TRYAGAIN, the action syntax is:

         <action>    ::= "return"  | "continue"

       For the TRYAGAIN status, the action syntax is:

         <action>    ::= "return"  | "continue" | "forever" | <n>
         <n>         ::= 0...MAX_INT

       Each property is a single valued string. The <source> names  are  case-
       sensitive, but <action> and <status> names are case-insensitive.

       If  a  database  entry  or  default  is  absent, the system defaults to
       "files" in all situations. Additionally if the name service cache  ser‐
       vice  (svc:/system/name-service/cache)  is not enabled, all attempts to
       access remote file services may fail or return incomplete results.

       The default criteria for DNS and  the  NIS  server  in  "DNS-forwarding
       mode"   is  [SUCCESS=return  NOTFOUND=continue  UNAVAIL=continue  TRYA‐

       The default criteria for all  other  sources  is  [SUCCESS=return  NOT‐
       FOUND=continue UNAVAIL=continue TRYAGAIN=forever].

       The  default, or explicitly specified, criteria are meaningless follow‐
       ing the last source in an entry; and they are ignored, since the action
       is  always  to return to the caller irrespective of the status code the
       source returns.

   Interaction with netconfig
       In order to ensure that they all return consistent results, the  getad‐
       drinfo(3C),  gethostbyname(3C),  getservbyname(3C),  and  netdir_getby‐
       name(3C) functions are all implemented in terms of  the  same  internal
       library  function.  This function obtains the system-wide source lookup
       policy for hosts and services based on the inet family entries in  net‐
       config(5)  and  uses  the  switch entries only if the netconfig entries
       have a - (hyphen) in the last column for nametoaddr libraries. See  the
       Notes section in gethostbyname(3C) and getservbyname(3C) for details.

   Interaction with server in DNS-forwarding Mode
       The  NIS  (YP)  server can be run in DNS-forwarding mode, where it for‐
       wards lookup requests to DNS for host-names and -addresses that do  not
       exist  in  its  database.  In this case, specifying nis as a source for
       hosts is sufficient to get DNS  lookups;  dns  need  not  be  specified
       explicitly as a source.

   Interaction with Password Aging
       When  password  aging is turned on, only a limited set of possible name
       services are supported and must follow those rules:

           o      password configuration must have 1, 2, or 3 entries

           o      First password entry must be files

           o      password entries other than files, nis and ldap are  ignored
                  and  skipped during password update. (It is necessary to use
                  a source-specific tool to update a password  in  such  data‐

       Any  other  settings  causes  the  passwd(1)  command  to  fail when it
       attempts to change the password after expiration and prevents the  user
       from  logging  in.  These are the only permitted settings when password
       aging has been turned on. Otherwise,  you  can  work  around  incorrect
       password  configurations  by  using  the  -r repository argument to the
       passwd(1) command and using passwd -r repository to override  the  nss‐
       witch.conf  settings and specify in which name service you want to mod‐
       ify your password.

   Hard-wired Policies
       The compiled-in default entries for all databases is "files".

   Useful Configuration Notes
       When using Active Directory, dns is required to perform  hosts  resolu‐

       It is strongly advised that dns always be used to perform host lookups.
       This is especially true when  ldap  is  being  used  for  name  service
       lookups.  The  use  of ldap for host lookups is not recommended. Adding
       ldap to hosts will likely prevent authentication  to  the  LDAP  server
       while  using  TLS. In order to get information from the Internet Domain
       Name Service for hosts set the config/host property to "files dns", and
       set up the /etc/resolv.conf file (see resolv.conf(5) for more details).

   Enumeration - getXXXent()
       Many  of  the  databases have enumeration functions: password has getp‐
       went(), host has gethostent(), and so on. These  were  reasonable  when
       the  only  source  was files but often make little sense for hierarchi‐
       cally structured sources that contain large numbers  of  entries,  much
       less  for  multiple  sources. The interfaces are still provided and the
       implementations strive to provide  reasonable  results,  but  the  data
       returned  can  be  incomplete  (enumeration for host is simply not sup‐
       ported by the dns source), inconsistent (if multiple sources are used),
       formatted  in  an  unexpected fashion (for a host with a canonical name
       and three aliases, a source might return four hostents, and they  might
       not be consecutive), or very expensive (enumerating a password database
       of 5,000 users is probably a bad idea). Furthermore,  multiple  threads
       in  the  same  process  using  the  same reentrant enumeration function
       (getXXXent_r() are supported beginning with Solaris 2.3) share the same
       enumeration position; if they interleave calls, they enumerate disjoint
       subsets of the same database.

       In general, the use of the enumeration functions is deprecated. In  the
       case of passwd, shadow, and group, it might sometimes be appropriate to
       use fgetgrent(), fgetpwent(), and fgetspent() (see getgrnam(3C), getpw‐
       nam(3C),  and  getspnam(3C),  respectively),  which  use only the files

       Example 1 Displaying current switch configuration

       This command displays the existing configuration of  the  name  service
       switch.  It  shows  the use of the files and ldap sources for automount
       maps and information about users and groups, the use of the  files  and
       dns  sources for host name and address lookup, the use of just the ldap
       source for netgroups, and the default of files for all other databases.

         example% svccfg -s name-service/switch listprop config
         config                     application
         config/automount           astring     "files ldap"
         config/default             astring     files
         config/group               astring     "files ldap"
         config/host                astring     "files dns"
         config/netgroup            astring     ldap
         config/password            astring     "files ldap"

       Example 2 Changing switch configuration

       This command sets host name and address lookup to use the files  source
       first  to  search  the  /etc/hosts and then the dns source to query the
       name servers specified in resolv.conf(5) for information not  found  in
       the hosts file.

         example% svccfg -s name-service/switch
         svc:/system/name-service/switch> setprop config/host = astring: "files dns"
         svc:/system/name-service/switch> select system/name-service/switch:default
         svc:/system/name-service/switch:default> refresh
         svc:/system/name-service/switch:default> validate
         svc:/system/name-service/switch:default> quit

       For  the full set of commands needed to configure and enable DNS usage,
       see Configuring a DNS Client in Configuring and Managing Network Compo‐
       nents in Oracle Solaris 11.4.

       A source named SSS is implemented by a shared object named nss_SSS.so.1
       that resides in /usr/lib as a 32-bit shared object, and in  /usr/lib/64
       as a 64-bit shared object.

       /etc/nsswitch.conf         Configuration file. (Obsolete.)

       /usr/lib/nss_dns.so.1      Implements dns source.

       /usr/lib/nss_files.so.1    Implements files source.

       /usr/lib/nss_mdns.so.1     Implements mdns source.

       /usr/lib/nss_nis.so.1      Implements nis source.

       /usr/lib/nss_ldap.so.1     Implements ldap source.

       /usr/lib/nss_ad.so.1       Implements ad source.

       /etc/netconfig             Configuration  file for netdir(3C) functions
                                  that redirects hosts/devices policy  to  the

       /etc/nsswitch.files        Sample  configuration  file  that uses files

       /etc/nsswitch.nis          Sample configuration file  that  uses  files
                                  and nis.

       /etc/nsswitch.ldap         Sample  configuration  file  that uses files
                                  and ldap.

       /etc/nsswitch.ad           Sample configuration file  that  uses  files
                                  and ad.

       /etc/nsswitch.dns          Sample  configuration  file that uses files,
                                  dns and mdns (dns and mdns only for hosts).

       kpasswd(1),   newtask(1),   passwd(1),   ethers(3C),   getaddrinfo(3C),
       getauthnam(3C),   getexecprof(3C),   getgrnam(3C),   gethostbyname(3C),
       getnetbyname(3C), getnetgrent(3C), getprofnam(3C),  getprotobyname(3C),
       getpublickey(3C),  getpwnam(3C),  getrpcbyname(3C),  getservbyname(3C),
       getspnam(3C),     getuserattr(3C),     getusernam(3C),      netdir(3C),
       secure_rpc(3C),     getdefaultproj(3PROJECT),     getprojent(3PROJECT),
       inproj(3PROJECT),   setproject(3PROJECT),    auth_attr(5),    hosts(5),
       netconfig(5),  project(5),  resolv.conf(5),  user_attr(5),  ypfiles(5),
       ad(7), ldap(7), nis(7), pam_list(7), automount(8), getent(8), ipadm(8),
       mdnsd(8), nscd(8), nscfg(8), rpc.bootparamd(8), sendmail(8), svccfg(8)

       Chapter  4,  Administering  Naming  and Directory Services on an Oracle
       Solaris System in Configuring and Managing Network Components in Oracle
       Solaris 11.4

       Within  each  process  that uses nsswitch.conf, the entire file is read
       only once; if the file is later changed, the  process  continues  using
       the old configuration.

       The  use  of  both  nis  and  ldap  as sources for the same database is
       strongly discouraged since both the name services are expected to store
       similar information and the lookups on the database can yield different
       results depending on which name service is operational at the  time  of
       the request.

       Do  not  use  the ldap and ad keywords together when the Oracle Solaris
       LDAP client uses schema mapping to talk to Active Directory.

       Misspelled names of sources and databases  are  treated  as  legitimate
       names of (most likely non-existent) sources and databases.

       The  compat backend and the use of '+' or '-' interactions in the pass‐
       word and group files is no longer supported.

       nsswitch.conf does not  control  the  name  service  configuration  for
       everything in Oracle Solaris.

       The  following functions do not use the switch: fgetgrent(3C), fgetpro‐
       jent(3PROJECT), fgetpwent(3C), fgetspent(3C), getpw(3C), putpwent(3C).

       To lookup entries in a database from the  command  line  following  the
       switch  configuration,  use  the getent(8) command. Name service client
       commands  such  as  delv(1),  dig(1),  nslookup(1),  ldaplist(1),   and
       ypmatch(1)  bypass  the  switch  configuration and look solely in their
       respective name service.

Oracle Solaris 11.4               11 May 2021                 nsswitch.conf(5)
맨 페이지 내용의 저작권은 맨 페이지 작성자에게 있습니다.