[v3] nss: Make nsswitch.conf more distribution friendly.
Commit Message
This version incorporates all the feedback we've had so far, and
looks to be the most complete version we've ever had upstream.
I listed the autofs example that Andreas gave in the manual, since
it was relevant to point out to readers that the configuration actually
gets used by non-glibc system software.
v3 here for review.
8< --- 8< ---- 8<
The current default nsswitch.conf file provided by glibc is not very
distribution friendly. The file contains some minimal directives that no
real distribution uses. This update aims to provide a rich set of
comments which are useful for all distributions, and a broader set of
service defines which should work for all distributions.
Tested defaults on x86_64 and they work. The nsswitch.conf file more
closely matches what we have in Fedora now, and I'll adjust Fedora to
use this version with minor changes to enable Fedora-specific service
providers.
v2
- Add missing databases to manual.
- Add link to manual from default nsswitch.conf.
- Sort nsswitch.conf according to most used database first.
v3
- Only mention implemented services in 'NSS Basics.'
- Mention 'automount' in 'Services in the NSS configuration.'
- Sort services in alphabetical order.
---
ChangeLog | 6 ++++
manual/nss.texi | 24 +++++++++++---
nss/nsswitch.conf | 81 +++++++++++++++++++++++++++++++++++++----------
3 files changed, 90 insertions(+), 21 deletions(-)
Comments
On 3/25/19 4:49 PM, Carlos O'Donell wrote:
> This version incorporates all the feedback we've had so far, and
> looks to be the most complete version we've ever had upstream.
> I listed the autofs example that Andreas gave in the manual, since
> it was relevant to point out to readers that the configuration actually
> gets used by non-glibc system software.
>
> v3 here for review.
Ping.
https://www.sourceware.org/ml/libc-alpha/2019-03/msg00550.html
* Carlos O'Donell:
> +# winbind Use SAMBA winbind support
> +# wins Use SAMBA wins support
Typo: The project calls itself “Samba”. Rest looks okay to me.
Thanks,
Florian
@@ -1,3 +1,9 @@
+2019-03-25 Carlos O'Donell <carlos@redhat.com>
+
+ * nss/nsswitch.conf: Expand comments, and simplify defaults.
+ * manual/nss.texi (NSS Basics): List all known databases.
+ (Services in the NSS configuration): Mention automount.
+
2019-03-25 Adhemerval Zanella <adhemerval.zanella@linaro.org>
* sysdeps/powerpc/fpu/s_float_bitwise.h: Remove file.
@@ -56,13 +56,17 @@ functions to access the databases.
@noindent
The databases available in the NSS are
+@cindex aliases
@cindex ethers
@cindex group
+@cindex gshadow
@cindex hosts
+@cindex initgroups
@cindex netgroup
@cindex networks
-@cindex protocols
@cindex passwd
+@cindex protocols
+@cindex publickey
@cindex rpc
@cindex services
@cindex shadow
@@ -75,16 +79,22 @@ Ethernet numbers,
@comment @pxref{Ethernet Numbers}.
@item group
Groups of users, @pxref{Group Database}.
+@item gshadow
+Group passphrase hashes and related information.
@item hosts
Host names and numbers, @pxref{Host Names}.
+@item initgroups
+Supplementary group access list.
@item netgroup
Network wide list of host and users, @pxref{Netgroup Database}.
@item networks
Network names and numbers, @pxref{Networks Database}.
-@item protocols
-Network protocols, @pxref{Protocols Database}.
@item passwd
User identities, @pxref{User Database}.
+@item protocols
+Network protocols, @pxref{Protocols Database}.
+@item publickey
+Public keys for Secure RPC.
@item rpc
Remote procedure call names and numbers.
@comment @pxref{RPC Database}.
@@ -96,8 +106,8 @@ User passphrase hashes and related information.
@end table
@noindent
-There will be some more added later (@code{automount}, @code{bootparams},
-@code{netmasks}, and @code{publickey}).
+@c We currently don't implement automount, netmasks, or bootparams.
+More databasess may be added later.
@node NSS Configuration File, NSS Module Internals, NSS Basics, Name Service Switch
@section The NSS Configuration File
@@ -159,6 +169,10 @@ these files since they should be placed in a directory where they are
found automatically. Only the names of all available services are
important.
+Lastly, some system software may make use of the NSS configuration file
+to store it's own configuration for similar purposes. Examples of this
+include the @code{automount} service which is used by @code{autofs}.
+
@node Actions in the NSS configuration, Notes on NSS Configuration File, Services in the NSS configuration, NSS Configuration File
@subsection Actions in the NSS configuration
@@ -1,20 +1,69 @@
+#
# /etc/nsswitch.conf
#
-# Example configuration of GNU Name Service Switch functionality.
+# An example Name Service Switch config file. This file should be
+# sorted with the most-used services at the beginning.
#
+# Valid databases are: aliases, ethers, group, gshadow, hosts,
+# initgroups, netgroup, networks, passwd, protocols, publickey,
+# rpc, services, and shadow.
+#
+# Valid service provider entries include (in alphabetical order):
+#
+# compat Use /etc files plus *_compat pseudo-db
+# db Use the pre-processed /var/db files
+# dns Use DNS (Domain Name Service)
+# files Use the local files in /etc
+# hesiod Use Hesiod (DNS) for user lookups
+# nis Use NIS (NIS version 2), also called YP
+# nisplus Use NIS+ (NIS version 3)
+#
+# See `info libc 'NSS Basics'` for more information.
+#
+# Commonly used alternative service providers (may need installation):
+#
+# ldap Use LDAP directory server
+# myhostname Use systemd host names
+# mymachines Use systemd machine names
+# mdns*, mdns*_minimal Use Avahi mDNS/DNS-SD
+# resolve Use systemd resolved resolver
+# sss Use System Security Services Daemon (sssd)
+# systemd Use systemd for dynamic user option
+# winbind Use SAMBA winbind support
+# wins Use SAMBA wins support
+# wrapper Use wrapper module for testing
+#
+# Notes:
+#
+# 'sssd' performs its own 'files'-based caching, so it should generally
+# come before 'files'.
+#
+# WARNING: Running nscd with a secondary caching service like sssd may
+# lead to unexpected behaviour, especially with how long
+# entries are cached.
+#
+# Installation instructions:
+#
+# To use 'db', install the appropriate package(s) (provide 'makedb' and
+# libnss_db.so.*), and place the 'db' in front of 'files' for entries
+# you want to be looked up first in the databases, like this:
+#
+# passwd: db files
+# shadow: db files
+# group: db files
-passwd: db files
-group: db files
-initgroups: db [SUCCESS=continue] files
-shadow: db files
-gshadow: files
-
-hosts: files dns
-networks: files dns
-
-protocols: db files
-services: db files
-ethers: db files
-rpc: db files
-
-netgroup: db files
+# In alphabetical order. Re-order as required to optimize peformance.
+aliases: files
+ethers: files
+group: files
+gshadow: files
+hosts: files dns
+initgroups: files
+netgroup: files
+networks: files dns
+passwd: files
+protocols: files
+publickey: files
+rpc: files
+shadow: files
+services: files