NAME

nsswitch.conf - 系統數據庫及名字服務開關配置文件

DESCRIPTION

C 程序庫里很多函數都需要配置以便能在本地環境正常工作, 習慣上是使用文件(例如`/etc/passwd') 來完成這一任務. 但別的名字服務, 如網絡信息服務NIS, 還有域名服務DNS等, 逐漸通用起來, 并且被加入了C 程序庫里, 而它們使用的是固定的搜索順序.

在有NYS 支持的Linux libc5以及GNU C Library 2.x (libc.so.6)里, 依靠一個更清晰完整的方案來解決該問題. 該方案模仿了Sun Microsystems公司在Solaris 2 的C 程序庫里的方法, 也沿襲了它們的命名, 稱為 "名字服務開關(NSS)". 所用 "數據庫" 及其查找順序在文件 /etc/nsswitch.conf 里指明.

NSS 中可用數據庫如下:

aliases 郵件別名, sendmail(8) 使用該文件.

ethers 以太網號.

group 用戶組, getgrent(3) 函數使用該文件.

hosts 主機名和主機號, gethostbyname(3) 以及類似的函數使用了該文件.

netgroup 網絡內主機及其用戶的列表, 訪問規則使用該文件.

network 網絡名及網絡號, getnetent(3) 函數使用該文件.

passwd 用戶口令, getpwent(3) 函數使用該文件.

protocols 網絡協議, getprotoent(3) 函數使用該文件.

publickey NIS+及NFS 所使用的secure_rpc的公開密匙.

rpc

遠程過程調用名及調用號, getrpcbyname(3) 及類似函數使用該文件.

services 網絡服務, getservent(3) 函數使用該文件.

shadow shadow用戶口令, getspnam(3) 函數使用該文件.

下面是

/etc/nsswitch.conf 文件的一個例子 (如果在系統中沒有 /etc/nsswitch.conf 文件的話, 這就是缺省的設置):

passwd:

compat

group:

compat

shadow:

compat

hosts:

dns [!UNAVAIL=return] files

networks:

nis [NOTFOUND=return] files

ethers:

nis [NOTFOUND=return] files

protocols:

nis [NOTFOUND=return] files

rpc:

nis [NOTFOUND=return] files

services:

nis [NOTFOUND=return] files

第一欄就是上面的表里所說的數據庫, 每行的其余部分指明如何查找. 對每個數據庫都可以分別指明其查找方法.

每個數據庫的配置規范包含兩個不同的項:

* 服務規范, 如`files', `db', 或者`nis'.

* 對查找結果的反應, 如`[NOTFOUND=return]'.

在有NYS支持的libc5里允許服務規范`files', `nis'及`nisplus',此外，還可以對hosts 指明`dns' 為額外服務, 對passwd及group 指明`compat', 但不能對shadow指明`compat'.

在GNU C Library里, 每個可用的SERVICE都必須有文件 /lib/libnss_SERVICE.so.1 與之對應. 在標準安裝時, 可以使用`files',`db', `nis'以及`nisplus'. 此外, 還可以對hosts 指明`dns' 為額外服務, 對passwd, group, shadow 指明`compat', 而在有NYS 支持的libc5中, 不支持最后一項服務.

說明中的第二項使用戶可以更好地控制查找過程. Action項處于兩個服務名之間, 被括弧括著, 常規格式如下:

`[' ( `!'? STATUS `=' ACTION )+ `]'

這里

STATUS => success | notfound | unavail | tryagain

ACTION => return | continue

對關鍵字的大小寫并不敏感. STATUS的值是調用指定服務查找函數的結果, 意義如下:

success

沒有錯誤發生, 得到想要的結果. 缺省action是`return'.

notfound 查找順利, 但是沒有得到所要的結果. 缺省action是`continue'.

unavail 服務永久不可用. 這可能意味著必要的文件不可用, 或者,DNS 服務不可用或不允許查詢.缺省action是`continue'.

tryagain 服務臨時不可用. 可能是文件被鎖住了或者服務器當前不 接受過多的連接. 缺省action是`continue'.

使用+/-語法的交互(compat 模式)無NYS支持的linux libc5沒有名字服務開關, 但允許用戶做一些簡單的策略控制. 在 /etc/passwd 里可以使用+user或+@netgroup條目(即包括NIS passwd映射所指定用戶), 以及-user或-@netgroup條目(即不包括被指定用戶), 還有 + 條目(即包括每個用戶, 除了NIS passwd映射所排除的). 大多數人只放一個 + 在 /etc/passwd 末尾, 以此包括NIS 的所有東西. 對該情況, 開關提供更快捷的替代方式(`passwd: files nis'), 這使得無需再往 /etc/passwd, /etc/group 及 /etc/shadow 里添加單個 + 條目. 如果這還不夠, NSS 的`compat' 服務提供了完全的+/-語法. 我們可以對偽數據庫 passwd_compat, group_compat 及 shadow_compat 指明`nisplus'服務來覆蓋缺省服務`nis', 但請注意只在GNU C Library里可以使用偽數據庫.

文件 FILES

名為SERVICE的服務是通過位于/lib的共享對象libnss_SERVICE.so.1實現的.

/etc/nsswitch.conf 配置文件

/lib/libnss_compat.so.1 為GNU C Library 2.x實現`compat'

/lib/libnss_db.so.1

為GNU C Library 2.x實現`db'

/lib/libnss_dns.so.1 為GNU C Library 2.x實現`dns'

/lib/libnss_files.so.1

為GNU C Library 2.x實現`files'

/lib/libnss_hesoid.so.1 為GNU C Library 2.x實現`hesoid'

/lib/libnss_nis.so.1 為GNU C Library 2.x實現`nis'

/lib/libnss_nisplus.so.1 為GNU C Library 2.x實現`nisplus'

注意 NOTES

每個用到了nsswitch.conf 文件的進程只完整地讀一次文件, 如果該文件后面被改變了, 進程將仍然使用原來的配置.

在Solaris 下, 不能靜態連接使用了NSS Service 的程序, 但是在Linux 下, 則毫無問題.

#p#

NAME

nsswitch.conf - System Databases and Name Service Switch configuration file  

DESCRIPTION

Various functions in the C Library need to be configured to work correctly in the local environment. Traditionally, this was done by using files (e.g., `/etc/passwd'), but other nameservices (like the Network Information Service (NIS) and the Domain Name Service (DNS)) became popular, and were hacked into the C library, usually with a fixed search order.

The Linux libc5 with NYS support and the GNU C Library 2.x (libc.so.6) contain a cleaner solution of this problem. It is designed after a method used by Sun Microsystems in the C library of Solaris 2. We follow their name and call this scheme "Name Service Switch" (NSS). The sources for the "databases" and their lookup order are specified in the /etc/nsswitch.conf file.

The following databases are available in the NSS:

aliases

Mail aliases, used by sendmail(8). Presently ignored.

ethers

Ethernet numbers.

group

Groups of users, used by getgrent(3) functions.

hosts

Host names and numbers, used by gethostbyname(3) and similar functions.

netgroup

Network wide list of hosts and users, used for access rules. C libraries before glibc 2.1 only support netgroups over NIS.

network

Network names and numbers, used by getnetent(3) functions.

passwd

User passwords, used by getpwent(3) functions.

protocols

Network protocols, used by getprotoent(3) functions.

publickey

Public and secret keys for Secure_RPC used by NFS and NIS+.

rpc

Remote procedure call names and numbers, used by getrpcbyname(3) and similar functions.

services

Network services, used by getservent(3) functions.

shadow

Shadow user passwords, used by getspnam(3).

An example /etc/nsswitch.conf (namely, the default used when /etc/nsswitch.conf is missing):

passwd:

compat

group:

compat

shadow:

compat

hosts:

dns [!UNAVAIL=return] files

networks:

nis [NOTFOUND=return] files

ethers:

nis [NOTFOUND=return] files

protocols:

nis [NOTFOUND=return] files

rpc:

nis [NOTFOUND=return] files

services:

nis [NOTFOUND=return] files

The first column is the database. The rest of the line specifies how the lookup process works. You can specify the way it works for each database individually.

The configuration specification for each database can contain two different items:

* The service specification like `files', `db', or `nis'.

* The reaction on lookup result like `[NOTFOUND=return]'.

For libc5 with NYS, the allowed service specifications are `files', `nis', and `nisplus'. For hosts, you could specify `dns' as extra service, for passwd and group `compat', but not for shadow.

For glibc, you must have a file called /lib/libnss_SERVICE.so.X for every SERVICE you are using. On a standard installation, you could use `files', `db', `nis', and `nisplus'. For hosts, you could specify `dns' as extra service, for passwd, group, and shadow `compat'. These services will not be used by libc5 with NYS. The version number X is 1 for glibc 2.0 and 2 for glibc 2.1.

The second item in the specification gives the user much finer control on the lookup process. Action items are placed between two service names and are written within brackets. The general form is

`[' ( `!'? STATUS `=' ACTION )+ `]'

where

STATUS => success | notfound | unavail | tryagain

ACTION => return | continue

The case of the keywords is insignificant. The STATUS values are the results of a call to a lookup function of a specific service. They mean:

success

No error occurred and the wanted entry is returned. The default action for this is `return'.

notfound

The lookup process works ok but the needed value was not found. The default action is `continue'.

unavail

The service is permanently unavailable. This can either mean the needed file is not available, or, for DNS, the server is not available or does not allow queries. The default action is `continue'.

tryagain