This chapter describes the name service switch. You use the name service switch to coordinate usage of different naming services. nsswitch.conf fileintroductiongetXbyYThe name service switch is a file which is named, nsswitch.conf. The name service switch controls how a client machine or application obtains network information. The name service switch is used by client applications that call any of the getXbyY interfaces such as the following.gethostbynamename service switch andgethostbyname getpwuidname service switch andgetpwuid getpwnamname service switch andgetpwnam getaddrinfoname service switch andgetaddrinfo Each machine has a switch file in its /etc directory. Each line of that file identifies a particular type of network information, such as host, password, and group, followed by one or more locations of that information.A client can obtain naming information from one or more of the switch's sources. For example, an NIS+ client could obtain its hosts information from an NIS+ table and its password information from a local /etc file. In addition, the client could specify the conditions under which the switch must use each source. See Table 2–1.nsswitch.conf filetemplatesThe Solaris system automatically loads an nsswitch.conf file into every machine's /etc directory as part of the installation process. Four alternate (template) versions of the switch file are also loaded into /etc for LDAP, NIS, NIS+, or files. See The nsswitch.conf Template Files.These four files are alternate default switch files. Each file is designed for a different primary naming service: /etc files, NIS, NIS+, or LDAP. When the Solaris software is first installed on a machine, the installer selects the machine's default naming service: NIS+, NIS, local files, or LDAP. During installation, the corresponding template file is copied to nsswitch.conf. For example, for a machine client using LDAP, the installation process copies nsswitch.ldap to nsswitch.conf. Unless you have an unusual namespace, the default template file as copied to nsswitch.conf should be sufficient for normal operation.nsswitch.conf fileDNS andDNSnsswitch.conf file andNo default file is provided for DNS, but you can edit any of these files to use DNS. For more information see DNS and Internet Access.If you later change a machine's primary naming service, you copy the appropriate alternate switch file to nsswitch.conf. See The nsswitch.conf Template Files. You can also change the sources of particular types of network information used by the client by editing the appropriate lines of the /etc/nsswitch.conf file. The syntax is described below, and additional instructions are provided in How to Modify the Name Service Switch.nsswitch.conf fileformat ofThe nsswitch.conf file is essentially a list of 16 types of information and the sources that getXXbyYY routines search for that information. The 16 types of information, not necessarily in this order, are the following.aliases bootparams ethers group hosts ipnodes netgroup netmasks networks passwd, which includes shadow information protocols publickey rpc services automount sendmailvars The following table provides a description of the kind of sources that can be listed in the switch file for the information types above.Information Sources Description files A file stored in the client's /etc directory. For example, /etc/passwd nisplus An NIS+ table. For example, the hosts table. nis An NIS map. For example, the hosts map. compat compat can be used for password and group information to support old-style + or - syntax in /etc/passwd, /etc/shadow, and /etc/group files. dns Can be used to specify that host information be obtained from DNS. ldap Can be used to specify entries be obtained from the LDAP directory. nsswitch.conf filesearch criteria Single Source. If an information type has only one source, such as nisplus a routine using the switch searches for the information in that source only. If the routine finds the information, the routine returns a success status message. If the routine does not find the information, the routine stops searching and returns a different status message. What the routine does with the status message varies from routine to routine.Multiple Sources. If a table contains multiple sources for a given information type, the switch directs the routine to search in the first listed source. If the routine finds the information, the routine returns a success status message. If the routine does not find the information in the first source, the routine tries the next source. The routine searches all sources until the routine has found the information, or until the routine is halted by a return specification. If all of the listed sources are searched without finding the information, the routine stops searching and returns a non-success status message. nsswitch.conf filestatus messages nsswitch.conf filemessages If a routine finds the information, the routine returns a success status message. If the routine does not find the information, the routine returns one of three error status messages. Possible status messages are listed in the following table.Status Message Meaning of Message SUCCESS The requested entry was found in the specified source. UNAVAIL The source is either unresponsive or unavailable. In other words, neither the NIS+ table, the NIS map, nor the /etc file could be found or be accessed. NOTFOUND The source responded with “No such entry.” In other words, the table, map, or file was accessed but the needed information was not found. TRYAGAIN The source is busy. The source might respond next time. In other words, the table, map, or file was found, but could not respond to the query. nsswitch.conf fileactions nsswitch.conf fileoptions You can instruct the switch to respond to status messages with either of the two actions shown in the following table.Action Meaning return Stop looking for the information. continue Try the next source. nsswitch.conf filesearch criteria The combination of nsswitch.conf file status message and action option determines what the routine does at each step. The combination of status and action make up the search criteria.nsswitch.conf filestatus messagesThe switch's default search criteria are the same for every source. As described in terms of the status messages listed above, see the following.nsswitch.conf fileSUCCESS=returnSUCCESS=return. Stop looking for the information. Proceed using the information that has been found. nsswitch.conf fileUNAVAIL=continueUNAVAIL=continue. Go to the next nsswitch.conf file source and continue searching. If this source is the last or only source, return with a NOTFOUND status. nsswitch.conf fileNOTFOUND=continueNOTFOUND=continue. Go to the next nsswitch.conf file source and continue searching. If this source is the last or only source, return with a NOTFOUND status. nsswitch.conf fileTRYAGAIN=continueTRYAGAIN=continue. Go to the next nsswitch.conf file source and continue searching. If this source is the last or only source, return with a NOTFOUND status. nsswitch.conf filemodifyingYou can change default search criteria by explicitly specifying some other criteria by using the STATUS=action syntax shown above. For example, the default action for a NOTFOUND condition is to continue the search to the next source. For example, to specify for networks, the search should stop in a NOTFOUND condition, edit the networks line of the switch file. The line would read as follows.networks: nis [NOTFOUND=return] filesThe networks: nis [NOTFOUND=return] files line specifies a nondefault criterion for the NOTFOUND status. Nondefault criteria are delimited by square brackets.In this example, the search routine behaves as follows:If the networks map is available, and contains the needed information, the routine returns with a SUCCESS status message. If the networks map is not available, the routine returns with an UNAVAIL status message. By default, the routine continues to search the appropriate /etc file. If the networks map is available and found, but the map does not contain the needed information, the routine returns with a NOTFOUND message. But, instead of continuing on to search the appropriate /etc file, which would be the default behavior, the routine stops searching. If the networks map is busy, the routine returns with an TRYAGAIN status message and by default continues on to search the appropriate /etc file. Lookups in the nsswitch.conf file are done in the order in which items are listed. However, password updates are done in reverse order, unless otherwise specified by using the passwd r repository command. See The Switch File and Password Information for more information. nsswitch.conf filemissing entries nsswitch.conf fileincorrect syntax Client library routines contain compiled-in default entries that are used if an entry in the nsswitch.conf file is either missing or syntactically incorrect. These entries are the same as the switch file's defaults.The name service switch assumes that the table and source names are spelled correctly. If you misspell a table or source name, the switch uses default values. nsswitch.conf fileAuto_home table nsswitch.conf fileAuto_master table auto_master tablensswitch.conf file and auto_home tablensswitch.conf file and The switch search criteria for the auto_home and auto_master tables and maps is combined into one category, which is called automount. nsswitch.conf filetimezone table timezone tableThe timezone table does not use the switch, so the table is not included in the switch file's list. nsswitch.conf filecomments in nsswitch.conf fileAny nsswitch.conf file line beginning with a comment character (#) is interpreted as a comment line. A comment line is ignored by routines that search the file.Characters preceding a comment mark are interpreted by routines that search the nsswitch.conf file. Characters to the right of the comment mark are interpreted as comments and ignored.Type of Line Example Comment line. # hosts: nisplus [NOTFOUND=return] files Interpreted line. hosts: nisplus [NOTFOUND=return] file Partially interpreted line. The files element is not interpreted. hosts: nisplus [NOTFOUND=return] # files nsswitch.conf filekeyserver entrynsswitch.conf filepublickey entrykeyservernsswitch.conf file andYou must restart the keyserver after you make a change to nsswitch.conf. The keyserver reads the publickey entry in the name service switch configuration file only when the keyserver is started. If you change the switch configuration file, the keyserver does not register the changes until the keyserver is restarted. nsswitch.conf filetemplates Four switch template files are provided with the Solaris system to accommodate different naming services. Each file provides a different default set of information sources.The four template files are the following.nsswitch.conf filensswitch.files file andLDAP template file. The nsswitch.ldap configuration file specifies the LDAP directory as the primary source of information for the machine.In order to use LDAP naming services, you must also properly configure all LDAP client machines, in addition to modifying the nsswitch.conf. See Chapter 12, Setting Up LDAP Clients (Tasks) for more information. nsswitch.conf filensswitch.nisplus fileNIS+ template file. The nsswitch.nisplus configuration file specifies NIS+ as the primary source for all information except passwd, group, automount, and aliases. For those four files, the primary source is local /etc files. The secondary source is an NIS+ table. The [NOTFOUND=return] search criterion instructs the switch to stop searching the NIS+ tables if the switch gets a “No such entry” message. The switch searches through local files only if the NIS+ server is unavailable. nsswitch.conf filensswitch.nis fileNIS template file. The nsswitch.nis configuration file is almost identical to the NIS+ configuration file, except that NIS file specifies NIS maps in place of NIS+ tables. Because the search order for passwd and group is files nis, you don't need to place the + entry in the /etc/passwd and /etc/group files. nsswitch.conf filensswitch.files fileFiles template file. The nsswitch.files configuration file specifies local /etc files as the only source of information for the machine. There is no “files” source for netgroup, so the client does not use that entry in the switch file. Copy the template file that most closely meets your requirements to the nsswitch.conf configuration file and then modify the file as needed.For example, to use the LDAP template file, you would type the following command.mymachine# cp /etc/nsswitch.ldap /etc/nsswitch.confnsswitch.conf filedefault template files The following four switch files are supplied with the Solaris product.# # # /etc/nsswitch.nisplus: # # # An example file that could be copied over to /etc/nsswitch.conf; # it uses NIS+ (NIS Version 3) in conjunction with files. # # "hosts:" and "services:" in this file are used only if the # /etc/netconfig file has a "-" for nametoaddr_libs of "inet" # transports. # the following two lines obviate the "+" entry in /etc/passwd # and /etc/group. passwd: files nisplus group: files nisplus # consult /etc "files" only if nisplus is down. hosts: nisplus [NOTFOUND=return] files # Uncomment the following line, and comment out the above, to use # both DNS and NIS+. You must also set up the /etc/resolv.conf # file for DNS name server lookup. See resolv.conf(4). # hosts: nisplus dns [NOTFOUND=return] files services: nisplus [NOTFOUND=return] files networks: nisplus [NOTFOUND=return] files protocols: nisplus [NOTFOUND=return] files rpc: nisplus [NOTFOUND=return] files ethers: nisplus [NOTFOUND=return] files netmasks: nisplus [NOTFOUND=return] files bootparams: nisplus [NOTFOUND=return] files publickey: nisplus netgroup: nisplus automount: files nisplus aliases: files nisplus sendmailvars: files nisplus For the publickey entry, the nisplus value must be first in the list of values. For example, publickey: nisplus files is the correct entry for an nsswitch.conf file that multiple NIS+ domains consult. # # /etc/nsswitch.nis: # # An example file that could be copied over to /etc/nsswitch.conf; # it uses NIS (YP) in conjunction with files. # # "hosts:" and "services:" in this file are used only if the # /etc/netconfig file has a "-" for nametoaddr_libs of "inet" # transports. # # the following two lines obviate the "+" entry in /etc/passwd # and /etc/group. passwd: files nis group: files nis # consult /etc "files" only if nis is down. hosts: nis [NOTFOUND=return] files networks: nis [NOTFOUND=return] files protocols: nis [NOTFOUND=return] files rpc: nis [NOTFOUND=return] files ethers: nis [NOTFOUND=return] files netmasks: nis [NOTFOUND=return] files bootparams: nis [NOTFOUND=return] files publickey: nis [NOTFOUND=return] files netgroup: nis automount: files nis aliases: files nis # for efficient getservbyname() avoid nis services: files nis sendmailvars: files # # /etc/nsswitch.files: # # An example file that could be copied over to /etc/nsswitch.conf; # it does not use any naming service. # # "hosts:" and "services:" in this file are used only if the # /etc/netconfig file has a "-" for nametoaddr_libs of "inet" # transports. passwd: files group: files hosts: files networks: files protocols: files rpc: files ethers: files netmasks: files bootparams: files publickey: files # At present there isn't a 'files' back end for netgroup; # the system will figure it out pretty quickly, and will notuse # netgroups at all. netgroup: files automount: files aliases: files services: files sendmailvars: files # # /etc/nsswitch.ldap: # # An example file that could be copied over to /etc/nsswitch.conf; it # uses LDAP in conjunction with files. # # "hosts:" and "services:" in this file are used only if the # /etc/netconfig file has a "-" for nametoaddr_libs of "inet" transports. # the following two lines obviate the "+" entry in /etc/passwd and /etc/group. passwd: files ldap group: files ldap hosts: ldap [NOTFOUND=return] files networks: ldap [NOTFOUND=return] files protocols: ldap [NOTFOUND=return] files rpc: ldap [NOTFOUND=return] files ethers: ldap [NOTFOUND=return] files netmasks: ldap [NOTFOUND=return] files bootparams: ldap [NOTFOUND=return] files publickey: ldap [NOTFOUND=return] files netgroup: ldap automount: files ldap aliases: files ldap # for efficient getservbyname() avoid ldap services: files ldap sendmailvars: files nsswitch.conf filedefault file The default nsswitch.conf file that is installed with the Solaris software is determined by which naming service you select during the installation process. Each line identifies a particular type of network information, such as host, password, and group, along with the information source, such as NIS+ tables, NIS maps, the DNS hosts table, or local /etc. When you chose a naming service, the switch template file for that service is copied to create the new nsswitch.conf file. For example, if you choose NIS+, the nsswitch.nisplus file is copied to create a new nsswitch.conf file.nsswitch.conf filetemplatesnsswitch.conf filedefault filesAn nsswitch.conf file is automatically loaded into every machine's /etc directory by the Solaris 9 release software, along with the following alternate (template) versions./etc/nsswitch.nisplus filensswitch.nisplus file/etc/nsswitch.nisplus /etc/nsswitch.nis filensswitch.nis file/etc/nsswitch.nis /etc/nsswitch.files filensswitch.files file/etc/nsswitch.files /etc/nsswitch.ldap filensswitch.ldap file/etc/nsswitch.ldap setupswitch filesThese alternate template files contain the default switch configurations used by the NIS+ and NIS services, local files, and LDAP. No default file is provided for DNS, but you can edit any of these files to use DNS. When the Solaris software is first installed on a machine, the installer selects the machine's default naming service. During installation, the corresponding template file is copied to /etc/nsswitch.conf. For example, for a machine client using NIS+, the installation process copies nsswitch.nisplus to nsswitch.conf.If your network is connected to the Internet and users must access Internet hosts using DNS, you must enable DNS forwarding.Unless you have an unusual namespace, the default template file as copied to nsswitch.conf should be sufficient for normal operation. nsswitch.conf filechoosing a file nsswitch.conf fileinstallation of When you change a machine's naming service, you need to modify that machine's switch file accordingly. For example, if you change a machine's naming service from NIS to NIS+, you need to install a switch file appropriate for NIS+. You change switch files by copying the appropriate template file to nsswitch.conf.If you are installing NIS+ on a machine using the NIS+ installation scripts, the NIS+ template script is copied to nsswitch.conf for you. In this case, you do not have to configure the switch file unless you want to customize.Before proceeding to change switch files, make sure the sources listed in the file are properly set up. In other words, if you are going to select the NIS+ version, the client must eventually have access to NIS+ service. If you select the local files version, those files must be properly set up on the client.To change to a switch file, follow these steps.In order to use LDAP naming services, you must also properly configure all LDAP client machines, in addition to modifying the nsswitch.conf. See Chapter 12, Setting Up LDAP Clients (Tasks) for more information. Become superuser or assume an equivalent role.Roles contain authorizations and privileged commands. For more information about roles, see Chapter 9, Using Role-Based Access Control (Tasks), in System Administration Guide: Security Services. /etc/nsswitch.confmodifying the switchnsswitch.conf filemodifying the switchCopy the appropriate alternate file for the machine's naming service over the nsswitch.conf file.NIS+ Version (done automatically for you by NIS+ scripts)client1# cd /etc client1# cp nsswitch.nisplus nsswitch.confNIS Versionclient1# cd /etc client1# cp nsswitch.nis nsswitch.confLocal /etc Files Versionclient1# cd /etc client1# cp nsswitch.files nsswitch.conf Reboot the machine.The nscd daemon caches switch information. See the nscd1M man page for information.nscd daemondaemonsnscd/etc/nsswitch.confnscd daemon andnsswitch.conf filenscd daemon andSome library routines do not periodically check the nsswitch.conf file to see whether the file has been changed. You must reboot the machine to make sure that the daemon and those routines have the latest information in the file. nsswitch.conf fileDNS and nsswitch.conf fileInternet access Internetnsswitch.conf file DNSnsswitch.conf file The nsswitch.conf file also controls DNS forwarding for clients as described in the following subsections. DNS forwarding grants Internet access to clients. For information on how to set DNS forwarding for NIS and NIS+, see System Administration Guide: Naming and Directory Services (NIS+). nsswitch.conf fileIPv6 and nsswitch.conf fileInternet access Internetnsswitch.conf file IPv6nsswitch.conf file NIS, NIS+ and LDAP support storing IPv6 data, as well as using IPv6 transports for protocol traffic. Beginning with BIND version 8.3.3, DNS on Solaris supports the use of IPv6 transports on the client side. As of BIND version 8.4.2, DNS provides a complete client-server solution over IPv6 networks on Solaris.The nsswitch.conf file controls search criteria for IPv6 addresses. IPv6 increases the IP address size from 32 bits to 128 bits to support more levels of addressing hierarchy. A larger address size provides a greater number of addressable nodes. For more information about IPv6, its configuration and implementation, see System Administration Guide: IP Services.Use the new ipnodes source for IPv6 addresses. The /etc/inet/ipnodes file stores both IPv4 and IPv6 addresses. The /etc/inet/ipnodes file uses the same format convention as the /etc/hosts file.IPv6 aware naming services use the new ipnodes source for its search forwarding. For instance, if LDAP is aware of IPv6 addresses, specify the following.ipnodes: ldap [NOTFOUND=return] filesPotential delay issues:ipnodes defaults to files. During the transition from IPv4 to IPv6, where all naming services are not aware of IPv6 addresses, accept the files default. Otherwise, unnecessary delays, such as boot timing delays, might result during the resolution of addresses. An application searches all ipnodes databases for IPv4 addresses before searching for IPv4 addresses in the hosts databases. Before specifying ipnodes, consider the inherent delay of searching both databases for IPv4 addresses. nsswitch.conf file+/- Syntax+/- Syntaxnsswitch.conf fileIf +/- is used in /etc/passwd, /etc/shadow, and /etc/group files, you need to modify the nsswitch.conf file to insure compatibility.nsswitch.conf filecompat+/- Syntaxcompatnsswitch.conf filepasswd_compat+/- Syntaxpasswd_compatNIS+. To provide +/- semantics with NIS+, change the passwd and groups sources to compat. Then, add a passwd_compat: nisplus entry to the nsswitch.conf file after the passwd or group entry as shown below.passwd: compat passwd_compat: nisplus group: compat group_compat: nisplus/etc filesThe above specifies that client routines obtain their network information from /etc files and NIS+ tables as indicated by the +/- entries in the files. nsswitch.conf filecompat+/- SyntaxcompatNIS. To provide the same syntax as in the Solaris 4.x release, change the passwd and groups sources to compat.passwd: compat group: compatSpecifies the /etc files and NIS maps as indicated by the +/- entries in the files.ypcatUsers working on a client machine being served by an NIS+ server running in NIS compatibility mode cannot run ypcat on the netgroup table. Doing so gives you results as if the table were empty even if the table has entries. It is possible to include and access password information in multiple repositories, such as files and nisplus. You can use the nsswitch.conf file to establish the lookup order for that information.nsswitch.conf filepassword data andpassword datansswitch.conf filefiles must be the first source in the nsswitch.conf file for passwd information. In an NIS+ environment, the passwd line of the nsswitch.conf file should list the repositories in the following order.passwd: files nisplusIn an NIS environment, the passwd line of the nsswitch.conf file should list the repositories in the following order.passwd: files nispassword r commandrepositoriesusing multiplerepositoryupdatingnsswitch.conf fileupdatingListing files first allows root to log in, under most circumstances, even when the system encounters some network or naming services issues. Maintaining multiple repositories for the same user is not recommended. By maintaining centralized password management in a single repository for each user, you reduce the possibilities of confusion and error. If you choose to maintain multiple repositories per user, update password information by using the passwd r command.passwd r repositoryIf no repository is specified with the r option, passwd updates the repositories listed in nsswitch.conf in reverse order.