Name Service Switch (NSS)
Description
The Name Service Switch is a System V UNIX facility which abstracts the mapping
between names and numbers into a set of library calls and makes the back-end
pluggable (hence “switch”). For a stand-alone server, this is used to provide
access to the various file databases for users, groups, hostnames, services and
protocols. The backend is selected with the /etc/nsswitch.conf
file. In
a networked environment, it is used to distribute this information through the
network, such as with NIS and LDAP. The database types are often called
‘‘maps’’.
Availability
As this is a System V facility, it is available on almost any platform that is
SysV-based, such as Solaris. It is likely available on IRIX, HP-UX, and SCO,
but I cannot verify this. It is not, however, available on AIX and BSD-based
systems, such as FreeBSD, NetBSD, OpenBSD, and MacOS X. It is also available
on Linux distributions since it is included with the GNU glibc
.
Back-Ends
Back-end selection is done through the /etc/nsswitch.conf
file. Included
stock with GNU glibc
are the following back-ends:
- nisplus
- nis
- dns
- files
- db
- compat
- hesiod
An LDAP back-end is also available from PADL at
http://www.padl.com/OSS/nss_ldap.html. The Samba
project also makes a daemon called winbindd
that
is able to retrieve information for users and groups from a Windows Domain
Controller, although it internally has to map Windows UUIDs to user and group
IDs, since the Windows protocols use an alphanumeric string instead of just a
number to ennumerate users and groups.
The dns
back-end is used only for hostname resolution, as you might
expect. The hesiod
back-end also uses DNS with special record types, but
it isn’t used widely outside of a few large university campuses. The
files
back-end is the default for most databases, and uses
/etc/passwd
for users, /etc/groups
for groups, /etc/hosts
for
hostnames, /etc/services
for service to port/protocol (mostly TCP and
UDP) mappings, and /etc/protocols
for protocols. The db
back-end
is a Berkeley-style database built from map files with the same formats as the
files
back-end. On Linux systems, these are usually located in
/var/db
. The compat
back-end is for some NIS compatibility,
although I’m not entirely sure what. The nis
and nisplus
back-ends
are, obviously, for NIS and NIS+.
Also included is nscd
, the name-service cache daemon. For network
back-ends, this provides a considerable speed-up by caching information. Load
is also considerably decreased on the server. It is configured in
/etc/nscd.conf
, which lets you set various server options, and time-outs
and other parameters for the various maps.
External Back-Ends
As of ‘‘glibc’’ 2.2, ‘‘nss_db’’ has been moved into a separate package. There are also a number of other external or third-party NSS providers, including the following:
- db
- winbind Samba component for mapping Windows SIDs into UNIX UIDs and GIDs
- ldap, PADL’s ‘‘nss_ldap’’
- mdns, multicast DNS (aka, ‘‘Rendezous’’ or ‘‘Zeroconf’’)
- MySQL (several)
- Postgres (several)
Programming
Various programming languages provide interfaces for accessing data in the
maps. The simplest is the shell command getent
. If you issue the
command with a map name it will list all entries in that map:
$ getent passwd |head
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:
daemon:x:2:2:daemon:/sbin:
adm:x:3:4:adm:/var/adm:
lp:x:4:7:lp:/var/spool/lpd:
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:
news:x:9:13:news:/var/spool/news:
If you supply a key, it will retrieve only the record with that key; for the ‘‘passwd’’ map, available keys are username and UID:
$ getent passwd 0
root:x:0:0:root:/root:/bin/bash
$ getent passwd root
root:x:0:0:root:/root:/bin/bash
You can also use it on to look up host names without caring about whether it’s
coming from DNS or /etc/hosts
or whatever back-ends you have configured:
$ getent hosts www.nakedape.cc
192.216.215.10 www.nakedape.cc
If you write shell scripts that access this data, you can do it more portably by using this interface instead of reading the files directly. An example is on my ShellHacks page.
Of course, C, Perl, Python and probably Ruby also provide similar interfaces.
However, with these interfaces, you usually go through a setXXent
, loop
over getXXent
, endXXent
pattern to retrieve data one record at a
time. The ‘‘XX’’ means there are separate calls for the various maps, for the
‘‘passwd’’ map the ‘‘XX’’ is ‘‘pw’’. You can see the Perl interface in action
in my migrate-pw-to-cyrus2.pl
script.