From patchwork Wed Mar 20 20:07:14 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Carlos O'Donell X-Patchwork-Id: 31921 Received: (qmail 12421 invoked by alias); 20 Mar 2019 20:07:21 -0000 Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Unsubscribe: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: libc-alpha-owner@sourceware.org Delivered-To: mailing list libc-alpha@sourceware.org Received: (qmail 12413 invoked by uid 89); 20 Mar 2019 20:07:21 -0000 Authentication-Results: sourceware.org; auth=none X-Spam-SWARE-Status: No, score=-16.9 required=5.0 tests=AWL, BAYES_00, GIT_PATCH_0, GIT_PATCH_1, GIT_PATCH_2, GIT_PATCH_3, RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 spammy=Network, Secure X-HELO: mail-qt1-f177.google.com Return-Path: Subject: [PATCH v2] nss: Make nsswitch.conf more distribution friendly. To: Florian Weimer Cc: libc-alpha@sourceware.org, Aurelien Jarno , Andreas Schwab References: <9303fad2-66ee-89e4-7433-395be089494e@redhat.com> <87h8bxv5wy.fsf@mid.deneb.enyo.de> From: Carlos O'Donell Message-ID: Date: Wed, 20 Mar 2019 16:07:14 -0400 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.5.1 MIME-Version: 1.0 In-Reply-To: <87h8bxv5wy.fsf@mid.deneb.enyo.de> On 3/20/19 12:58 PM, Florian Weimer wrote: > * Carlos O'Donell: > >> +# An example Name Service Switch config file. This file should be >> +# sorted with the most-used services at the beginning. > > The example file itself doesn't seem to follow this. I noticed that netmasks, automount, and bootparams are not handled by glibc, but listed in the nsswitch.conf. Are these handled by some other application which parses /etc/nsswitch.conf? I'm not aware of any that do so, and so I've removed them. We never got around to implementing the accessor functions for them, and only added publickey. I cleaned up the docs and referenced the info docs from the default nsswitch.conf. >> +# ldap Use LDAP directory server > > Is the module really called ldap these days? I it's ldapd. ldap was > the module that had an in-process LDAP client, which was kind of iffy. Yes, this is the ldap module using nslcd. rpm -qf /lib64/libnss_ldap.so nss-pam-ldapd-0.9.9-4.fc29.x86_64 Description : The nss-pam-ldapd daemon, nslcd, uses a directory server to look up name service information (users, groups, etc.) on behalf of a lightweight nsswitch module. It's the same name (unfortunately). v2 follows. 8< --- 8< --- 8< The current default nsswitch.conf file provided by glibc is not very distribution friendly. The file contains some minimal directives that no real distribution uses. This update aims to provide a rich set of comments which are useful for all distributions, and a broader set of service defines which should work for all distributions. Tested defaults on x86_64 and they work. The nsswitch.conf file more closely matches what we have in Fedora now, and I'll adjust Fedora to use this version with minor changes to enable Fedora-specific service providers. v2 - Add missing databases to manual. - Add link to manual from default nsswitch.conf. - Sort nsswitch.conf according to most used database first. --- ChangeLog | 5 +++ manual/nss.texi | 20 +++++++++--- nss/nsswitch.conf | 81 +++++++++++++++++++++++++++++++++++++---------- 3 files changed, 85 insertions(+), 21 deletions(-) diff --git a/ChangeLog b/ChangeLog index 9889d21c85..9765ae0160 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,8 @@ +2019-03-20 Carlos O'Donell + + * nss/nsswitch.conf: Expand comments, and simplify defaults. + * manual/nss.texi (NSS Basics): List all known databases. + 2019-03-19 Joseph Myers * sysdeps/unix/sysv/linux/aarch64/bits/hwcap.h (HWCAP_SB): New diff --git a/manual/nss.texi b/manual/nss.texi index 164ae33246..5df2f6254a 100644 --- a/manual/nss.texi +++ b/manual/nss.texi @@ -56,13 +56,17 @@ functions to access the databases. @noindent The databases available in the NSS are +@cindex aliases @cindex ethers @cindex group +@cindex gshadow @cindex hosts +@cindex initgroups @cindex netgroup @cindex networks -@cindex protocols @cindex passwd +@cindex protocols +@cindex publickey @cindex rpc @cindex services @cindex shadow @@ -75,16 +79,22 @@ Ethernet numbers, @comment @pxref{Ethernet Numbers}. @item group Groups of users, @pxref{Group Database}. +@item gshadow +Group passphrase hashes and related information. @item hosts Host names and numbers, @pxref{Host Names}. +@item initgroups +Supplementary group access list. @item netgroup Network wide list of host and users, @pxref{Netgroup Database}. @item networks Network names and numbers, @pxref{Networks Database}. -@item protocols -Network protocols, @pxref{Protocols Database}. @item passwd User identities, @pxref{User Database}. +@item protocols +Network protocols, @pxref{Protocols Database}. +@item publickey +Public keys for Secure RPC. @item rpc Remote procedure call names and numbers. @comment @pxref{RPC Database}. @@ -96,8 +106,8 @@ User passphrase hashes and related information. @end table @noindent -There will be some more added later (@code{automount}, @code{bootparams}, -@code{netmasks}, and @code{publickey}). +More may be added later (@code{automount}, @code{bootparams}, +and @code{netmasks}). @node NSS Configuration File, NSS Module Internals, NSS Basics, Name Service Switch @section The NSS Configuration File diff --git a/nss/nsswitch.conf b/nss/nsswitch.conf index 39ca88bf51..dc4de262dd 100644 --- a/nss/nsswitch.conf +++ b/nss/nsswitch.conf @@ -1,20 +1,69 @@ +# # /etc/nsswitch.conf # -# Example configuration of GNU Name Service Switch functionality. +# An example Name Service Switch config file. This file should be +# sorted with the most-used services at the beginning. # +# Valid databases are: aliases, ethers, group, gshadow, hosts, +# initgroups, netgroup, networks, passwd, protocols, publickey, +# rpc, services, and shadow. +# +# Valid service provider entries include (in alphabetical order): +# +# compat Use /etc files plus *_compat pseudo-db +# db Use the pre-processed /var/db files +# dns Use DNS (Domain Name Service) +# files Use the local files in /etc +# hesiod Use Hesiod (DNS) for user lookups +# nis Use NIS (NIS version 2), also called YP +# nisplus Use NIS+ (NIS version 3) +# +# See `info libc 'NSS Basics'` for more information. +# +# Commonly used alternative service providers (may need installation): +# +# ldap Use LDAP directory server +# myhostname Use systemd host names +# mymachines Use systemd machine names +# mdns*, mdns*_minimal Use Avahi mDNS/DNS-SD +# resolve Use systemd resolved resolver +# sss Use System Security Services Daemon (sssd) +# systemd Use systemd for dynamic user option +# winbind Use SAMBA winbind support +# wins Use SAMBA wins support +# wrapper Use wrapper module for testing +# +# Notes: +# +# 'sssd' performs its own 'files'-based caching, so it should generally +# come before 'files'. +# +# WARNING: Running nscd with a secondary caching service like sssd may +# lead to unexpected behaviour, especially with how long +# entries are cached. +# +# Installation instructions: +# +# To use 'db', install the appropriate package(s) (provide 'makedb' and +# libnss_db.so.*), and place the 'db' in front of 'files' for entries +# you want to be looked up first in the databases, like this: +# +# passwd: db files +# shadow: db files +# group: db files -passwd: db files -group: db files -initgroups: db [SUCCESS=continue] files -shadow: db files -gshadow: files - -hosts: files dns -networks: files dns - -protocols: db files -services: db files -ethers: db files -rpc: db files - -netgroup: db files +# In order of most-used services first. +passwd: files +group: files +hosts: files dns +networks: files dns +initgroups: files +shadow: files +gshadow: files +netgroup: files +services: files +protocols: files +ethers: files +aliases: files +rpc: files +publickey: files