[thirdparty/systemd.git] / man / userdbctl.xml

<?xml version='1.0'?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
  "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
<!-- SPDX-License-Identifier: LGPL-2.1-or-later -->

<refentry id="userdbctl" conditional='ENABLE_USERDB'
    xmlns:xi="http://www.w3.org/2001/XInclude">

  <refentryinfo>
    <title>userdbctl</title>
    <productname>systemd</productname>
  </refentryinfo>

  <refmeta>
    <refentrytitle>userdbctl</refentrytitle>
    <manvolnum>1</manvolnum>
  </refmeta>

  <refnamediv>
    <refname>userdbctl</refname>
    <refpurpose>Inspect users, groups and group memberships</refpurpose>
  </refnamediv>

  <refsynopsisdiv>
    <cmdsynopsis>
      <command>userdbctl</command>
      <arg choice="opt" rep="repeat">OPTIONS</arg>
      <arg choice="req">COMMAND</arg>
      <arg choice="opt" rep="repeat">NAME</arg>
    </cmdsynopsis>
  </refsynopsisdiv>

  <refsect1>
    <title>Description</title>

    <para><command>userdbctl</command> may be used to inspect user and groups (as well as group memberships)
    of the system. This client utility inquires user/group information provided by various system services,
    both operating on JSON user/group records (as defined by the <ulink
    url="https://systemd.io/USER_RECORD">JSON User Records</ulink> and <ulink
    url="https://systemd.io/GROUP_RECORD">JSON Group Records</ulink> definitions), and classic UNIX NSS/glibc
    user and group records. This tool is primarily a client to the <ulink
    url="https://systemd.io/USER_GROUP_API">User/Group Record Lookup API via Varlink</ulink>, and may also
    pick up drop-in JSON user and group records from <filename>/etc/userdb/</filename>,
    <filename>/run/userdb/</filename>, <filename>/run/host/userdb/</filename>,
    <filename>/usr/lib/userdb/</filename>.</para>
  </refsect1>

  <refsect1>
    <title>Options</title>

    <para>The following options are understood:</para>

    <variablelist>

      <varlistentry>
        <term><option>--output=</option><replaceable>MODE</replaceable></term>

        <listitem><para>Choose the output mode, takes one of <literal>classic</literal>,
        <literal>friendly</literal>, <literal>table</literal>, <literal>json</literal>. If
        <literal>classic</literal>, an output very close to the format of <filename>/etc/passwd</filename> or
        <filename>/etc/group</filename> is generated. If <literal>friendly</literal> a more comprehensive and
        user friendly, human readable output is generated; if <literal>table</literal> a minimal, tabular
        output is generated; if <literal>json</literal> a JSON formatted output is generated. Defaults to
        <literal>friendly</literal> if a user/group is specified on the command line,
        <literal>table</literal> otherwise.</para>

        <para>Note that most output formats do not show all available information. In particular,
        <literal>classic</literal> and <literal>table</literal> show only the most important fields. Various
        modes also do not show password hashes. Use <literal>json</literal> to view all fields, including
        any authentication fields.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><option>--service=</option><replaceable>SERVICE</replaceable><optional>:<replaceable>SERVICE…</replaceable></optional></term>
        <term><option>-s</option> <replaceable>SERVICE</replaceable>:<replaceable>SERVICE…</replaceable></term>

        <listitem><para>Controls which services to query for users/groups. Takes a list of one or more
        service names, separated by <literal>:</literal>. See below for a list of well-known service
        names. If not specified all available services are queried at once.</para></listitem>
      </varlistentry>

      <varlistentry>
        <term><option>--with-nss=</option><replaceable>BOOL</replaceable></term>

        <listitem><para>Controls whether to include classic glibc/NSS user/group lookups in the output. If
        <option>--with-nss=no</option> is used any attempts to resolve or enumerate users/groups provided
        only via glibc NSS is suppressed. If <option>--with-nss=yes</option> is specified such users/groups
        are included in the output (which is the default).</para></listitem>
      </varlistentry>

      <varlistentry>
        <term><option>--with-varlink=</option><replaceable>BOOL</replaceable></term>

        <listitem><para>Controls whether to include Varlink user/group lookups in the output, i.e. those done
        via the <ulink url="https://systemd.io/USER_GROUP_API">User/Group Record Lookup API via
        Varlink</ulink>. If <option>--with-varlink=no</option> is used any attempts to resolve or enumerate
        users/groups provided only via Varlink are suppressed. If <option>--with-varlink=yes</option> is
        specified such users/groups are included in the output (which is the default).</para></listitem>
      </varlistentry>

      <varlistentry>
        <term><option>--with-dropin=</option><replaceable>BOOL</replaceable></term>

        <listitem><para>Controls whether to include user/group lookups in the output that are defined using
        drop-in files in <filename>/etc/userdb/</filename>, <filename>/run/userdb/</filename>,
        <filename>/run/host/userdb/</filename>, <filename>/usr/lib/userdb/</filename>. If
        <option>--with-dropin=no</option> is used these records are suppressed. If
        <option>--with-dropin=yes</option> is specified such users/groups are included in the output (which
        is the default).</para></listitem>
      </varlistentry>

      <varlistentry>
        <term><option>--synthesize=</option><replaceable>BOOL</replaceable></term>

        <listitem><para>Controls whether to synthesize records for the root and nobody users/groups if they
        aren't defined otherwise. By default (or <literal>yes</literal>) such records are implicitly
        synthesized if otherwise missing since they have special significance to the OS. When
        <literal>no</literal> this synthesizing is turned off.</para></listitem>
      </varlistentry>

      <varlistentry>
        <term><option>-N</option></term>

        <listitem><para>This option is short for <option>--with-nss=no</option>
        <option>--synthesize=no</option>. Use this option to show only records that are natively defined as
        JSON user or group records, with all NSS/glibc compatibility and all implicit synthesis turned
        off.</para></listitem>
      </varlistentry>

      <xi:include href="standard-options.xml" xpointer="no-pager" />
      <xi:include href="standard-options.xml" xpointer="no-legend" />
      <xi:include href="standard-options.xml" xpointer="help" />
      <xi:include href="standard-options.xml" xpointer="version" />
    </variablelist>
  </refsect1>

  <refsect1>
    <title>Commands</title>

    <para>The following commands are understood:</para>

    <variablelist>

      <varlistentry>
        <term><command>user</command> <optional><replaceable>USER</replaceable>…</optional></term>

        <listitem><para>List all known users records or show details of one or more specified user
        records. Use <option>--output=</option> to tweak output mode.</para></listitem>
      </varlistentry>

      <varlistentry>
        <term><command>group</command> <optional><replaceable>GROUP</replaceable>…</optional></term>

        <listitem><para>List all known group records or show details of one or more specified group
        records. Use <option>--output=</option> to tweak output mode.</para></listitem>
      </varlistentry>

      <varlistentry>
        <term><command>users-in-group</command> <optional><replaceable>GROUP</replaceable>…</optional></term>

        <listitem><para>List users that are members of the specified groups. If no groups are specified list
        all user/group memberships defined. Use <option>--output=</option> to tweak output
        mode.</para></listitem>
      </varlistentry>

      <varlistentry>
        <term><command>groups-of-user</command> <optional><replaceable>USER</replaceable>…</optional></term>

        <listitem><para>List groups that the specified users are members of. If no users are specified list
        all user/group memberships defined (in this case <command>groups-of-user</command> and
        <command>users-in-group</command> are equivalent). Use <option>--output=</option> to tweak output
        mode.</para></listitem>
      </varlistentry>

      <varlistentry>
        <term><command>services</command></term>

        <listitem><para>List all services currently providing user/group definitions to the system. See below
        for a list of well-known services providing user information.</para></listitem>
      </varlistentry>

      <varlistentry>
        <term><command>ssh-authorized-keys</command></term>

        <listitem><para>This operation is not a public, user-facing interface. It is used to allow the SSH daemon to pick
        up authorized keys from user records, see below.</para></listitem>
      </varlistentry>
    </variablelist>
  </refsect1>

  <refsect1>
    <title>Well-Known Services</title>

    <para>The <command>userdbctl services</command> command will list all currently running services that
    provide user or group definitions to the system. The following well-known services are shown among
    this list:</para>

    <variablelist>
      <varlistentry>
        <term><constant>io.systemd.DynamicUser</constant></term>

        <listitem><para>This service is provided by the system service manager itself (i.e. PID 1) and
        makes all users (and their groups) synthesized through the <varname>DynamicUser=</varname> setting in
        service unit files available to the system (see
        <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry> for
        details about this setting).</para></listitem>
      </varlistentry>

      <varlistentry>
        <term><constant>io.systemd.Home</constant></term>

        <listitem><para>This service is provided by
        <citerefentry><refentrytitle>systemd-homed.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
        and makes all users (and their groups) belonging to home directories managed by that service
        available to the system.</para></listitem>
      </varlistentry>

      <varlistentry>
        <term><constant>io.systemd.Machine</constant></term>

        <listitem><para>This service is provided by
        <citerefentry><refentrytitle>systemd-machined.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
        and synthesizes records for all users/groups used by a container that employs user
        namespacing.</para></listitem>
      </varlistentry>

      <varlistentry>
        <term><constant>io.systemd.Multiplexer</constant></term>

        <listitem><para>This service is provided by
        <citerefentry><refentrytitle>systemd-userdbd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
        and multiplexes user/group look-ups to all other running lookup services. This is the primary entry point
        for user/group record clients, as it simplifies client side implementation substantially since they
        can ask a single service for lookups instead of asking all running services in parallel.
        <command>userdbctl</command> uses this service preferably, too, unless <option>--with-nss=</option>
        or <option>--service=</option> are used, in which case finer control over the services to talk to is
        required.</para></listitem>
      </varlistentry>

      <varlistentry>
        <term><constant>io.systemd.NameServiceSwitch</constant></term>

        <listitem><para>This service is (also) provided by
        <citerefentry><refentrytitle>systemd-userdbd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
        and converts classic NSS/glibc user and group records to JSON user/group records, providing full
        backwards compatibility. Use <option>--with-nss=no</option> to disable this compatibility, see
        above. Note that compatibility is actually provided in both directions:
        <citerefentry><refentrytitle>nss-systemd</refentrytitle><manvolnum>8</manvolnum></citerefentry> will
        automatically synthesize classic NSS/glibc user/group records from all JSON user/group records
        provided to the system, thus using both APIs is mostly equivalent and provides access to the same
        data, however the NSS/glibc APIs necessarily expose a more reduced set of fields
        only.</para></listitem>
      </varlistentry>

      <varlistentry>
        <term><constant>io.systemd.DropIn</constant></term>

        <listitem><para>This service is (also) provided by
        <citerefentry><refentrytitle>systemd-userdbd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
        and picks up JSON user/group records from <filename>/etc/userdb/</filename>,
        <filename>/run/userdb/</filename>, <filename>/run/host/userdb/</filename>,
        <filename>/usr/lib/userdb/</filename>.</para></listitem>
      </varlistentry>

    </variablelist>

    <para>Note that <command>userdbctl</command> has internal support for NSS-based lookups too. This means
    that if neither <constant>io.systemd.Multiplexer</constant> nor
    <constant>io.systemd.NameServiceSwitch</constant> are running look-ups into the basic user/group
    databases will still work.</para>
  </refsect1>

  <refsect1>
    <title>Integration with SSH</title>

    <para>The <command>userdbctl</command> tool may be used to make the list of SSH authorized keys possibly
    contained in a user record available to the SSH daemon for authentication. For that configure the
    following in <citerefentry
    project='die-net'><refentrytitle>sshd_config</refentrytitle><manvolnum>5</manvolnum></citerefentry>:</para>

    <programlisting>…
AuthorizedKeysCommand /usr/bin/userdbctl ssh-authorized-keys %u
AuthorizedKeysCommandUser root
…</programlisting>
  </refsect1>

  <refsect1>
    <title>Exit status</title>

    <para>On success, 0 is returned, a non-zero failure code otherwise.</para>
  </refsect1>

  <xi:include href="common-variables.xml" />

  <refsect1>
    <title>See Also</title>
    <para>
      <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
      <citerefentry><refentrytitle>systemd-userdbd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
      <citerefentry><refentrytitle>systemd-homed.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
      <citerefentry><refentrytitle>nss-systemd</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
      <citerefentry project='man-pages'><refentrytitle>getent</refentrytitle><manvolnum>1</manvolnum></citerefentry>
    </para>
  </refsect1>

</refentry>
Commit	Line	Data
3b2db6f1 LP	1	<?xml version='1.0'?>
	2	<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
	3	"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
db9ecf05	4	<!-- SPDX-License-Identifier: LGPL-2.1-or-later -->
3b2db6f1 LP	5
	6	<refentry id="userdbctl" conditional='ENABLE_USERDB'
	7	xmlns:xi="http://www.w3.org/2001/XInclude">
	8
	9	<refentryinfo>
	10	<title>userdbctl</title>
	11	<productname>systemd</productname>
	12	</refentryinfo>
	13
	14	<refmeta>
	15	<refentrytitle>userdbctl</refentrytitle>
	16	<manvolnum>1</manvolnum>
	17	</refmeta>
	18
	19	<refnamediv>
	20	<refname>userdbctl</refname>
	21	<refpurpose>Inspect users, groups and group memberships</refpurpose>
	22	</refnamediv>
	23
	24	<refsynopsisdiv>
	25	<cmdsynopsis>
	26	<command>userdbctl</command>
	27	<arg choice="opt" rep="repeat">OPTIONS</arg>
	28	<arg choice="req">COMMAND</arg>
	29	<arg choice="opt" rep="repeat">NAME</arg>
	30	</cmdsynopsis>
	31	</refsynopsisdiv>
	32
	33	<refsect1>
	34	<title>Description</title>
	35
	36	<para><command>userdbctl</command> may be used to inspect user and groups (as well as group memberships)
	37	of the system. This client utility inquires user/group information provided by various system services,
	38	both operating on JSON user/group records (as defined by the <ulink
cf3ce054 ZJS	39	url="https://systemd.io/USER_RECORD">JSON User Records</ulink> and <ulink
cf3ce054 ZJS	40	url="https://systemd.io/GROUP_RECORD">JSON Group Records</ulink> definitions), and classic UNIX NSS/glibc
3b2db6f1	41	user and group records. This tool is primarily a client to the <ulink
c96a3012 LP	42	url="https://systemd.io/USER_GROUP_API">User/Group Record Lookup API via Varlink</ulink>, and may also
	43	pick up drop-in JSON user and group records from <filename>/etc/userdb/</filename>,
	44	<filename>/run/userdb/</filename>, <filename>/run/host/userdb/</filename>,
be0d27ee	45	<filename>/usr/lib/userdb/</filename>.</para>
3b2db6f1 LP	46	</refsect1>
	47
	48	<refsect1>
	49	<title>Options</title>
	50
	51	<para>The following options are understood:</para>
	52
	53	<variablelist>
	54
	55	<varlistentry>
	56	<term><option>--output=</option><replaceable>MODE</replaceable></term>
	57
	58	<listitem><para>Choose the output mode, takes one of <literal>classic</literal>,
	59	<literal>friendly</literal>, <literal>table</literal>, <literal>json</literal>. If
	60	<literal>classic</literal>, an output very close to the format of <filename>/etc/passwd</filename> or
	61	<filename>/etc/group</filename> is generated. If <literal>friendly</literal> a more comprehensive and
	62	user friendly, human readable output is generated; if <literal>table</literal> a minimal, tabular
	63	output is generated; if <literal>json</literal> a JSON formatted output is generated. Defaults to
	64	<literal>friendly</literal> if a user/group is specified on the command line,
f7dc8248 ZJS	65	<literal>table</literal> otherwise.</para>
	66
	67	<para>Note that most output formats do not show all available information. In particular,
	68	<literal>classic</literal> and <literal>table</literal> show only the most important fields. Various
	69	modes also do not show password hashes. Use <literal>json</literal> to view all fields, including
	70	any authentication fields.</para>
	71	</listitem>
3b2db6f1 LP	72	</varlistentry>
	73
	74	<varlistentry>
	75	<term><option>--service=</option><replaceable>SERVICE</replaceable><optional>:<replaceable>SERVICE…</replaceable></optional></term>
	76	<term><option>-s</option> <replaceable>SERVICE</replaceable>:<replaceable>SERVICE…</replaceable></term>
	77
	78	<listitem><para>Controls which services to query for users/groups. Takes a list of one or more
	79	service names, separated by <literal>:</literal>. See below for a list of well-known service
	80	names. If not specified all available services are queried at once.</para></listitem>
	81	</varlistentry>
	82
	83	<varlistentry>
	84	<term><option>--with-nss=</option><replaceable>BOOL</replaceable></term>
	85
	86	<listitem><para>Controls whether to include classic glibc/NSS user/group lookups in the output. If
	87	<option>--with-nss=no</option> is used any attempts to resolve or enumerate users/groups provided
	88	only via glibc NSS is suppressed. If <option>--with-nss=yes</option> is specified such users/groups
	89	are included in the output (which is the default).</para></listitem>
	90	</varlistentry>
	91
c96a3012 LP	92	<varlistentry>
	93	<term><option>--with-varlink=</option><replaceable>BOOL</replaceable></term>
	94
	95	<listitem><para>Controls whether to include Varlink user/group lookups in the output, i.e. those done
	96	via the <ulink url="https://systemd.io/USER_GROUP_API">User/Group Record Lookup API via
	97	Varlink</ulink>. If <option>--with-varlink=no</option> is used any attempts to resolve or enumerate
	98	users/groups provided only via Varlink are suppressed. If <option>--with-varlink=yes</option> is
	99	specified such users/groups are included in the output (which is the default).</para></listitem>
	100	</varlistentry>
	101
	102	<varlistentry>
	103	<term><option>--with-dropin=</option><replaceable>BOOL</replaceable></term>
	104
	105	<listitem><para>Controls whether to include user/group lookups in the output that are defined using
	106	drop-in files in <filename>/etc/userdb/</filename>, <filename>/run/userdb/</filename>,
be0d27ee	107	<filename>/run/host/userdb/</filename>, <filename>/usr/lib/userdb/</filename>. If
c96a3012 LP	108	<option>--with-dropin=no</option> is used these records are suppressed. If
	109	<option>--with-dropin=yes</option> is specified such users/groups are included in the output (which
	110	is the default).</para></listitem>
	111	</varlistentry>
	112
3b2db6f1 LP	113	<varlistentry>
	114	<term><option>--synthesize=</option><replaceable>BOOL</replaceable></term>
	115
	116	<listitem><para>Controls whether to synthesize records for the root and nobody users/groups if they
	117	aren't defined otherwise. By default (or <literal>yes</literal>) such records are implicitly
	118	synthesized if otherwise missing since they have special significance to the OS. When
	119	<literal>no</literal> this synthesizing is turned off.</para></listitem>
	120	</varlistentry>
	121
	122	<varlistentry>
	123	<term><option>-N</option></term>
	124
	125	<listitem><para>This option is short for <option>--with-nss=no</option>
	126	<option>--synthesize=no</option>. Use this option to show only records that are natively defined as
	127	JSON user or group records, with all NSS/glibc compatibility and all implicit synthesis turned
	128	off.</para></listitem>
	129	</varlistentry>
	130
	131	<xi:include href="standard-options.xml" xpointer="no-pager" />
	132	<xi:include href="standard-options.xml" xpointer="no-legend" />
	133	<xi:include href="standard-options.xml" xpointer="help" />
	134	<xi:include href="standard-options.xml" xpointer="version" />
	135	</variablelist>
	136	</refsect1>
	137
	138	<refsect1>
	139	<title>Commands</title>
	140
	141	<para>The following commands are understood:</para>
	142
	143	<variablelist>
	144
	145	<varlistentry>
	146	<term><command>user</command> <optional><replaceable>USER</replaceable>…</optional></term>
	147
	148	<listitem><para>List all known users records or show details of one or more specified user
	149	records. Use <option>--output=</option> to tweak output mode.</para></listitem>
	150	</varlistentry>
	151
	152	<varlistentry>
	153	<term><command>group</command> <optional><replaceable>GROUP</replaceable>…</optional></term>
	154
	155	<listitem><para>List all known group records or show details of one or more specified group
	156	records. Use <option>--output=</option> to tweak output mode.</para></listitem>
	157	</varlistentry>
	158
	159	<varlistentry>
	160	<term><command>users-in-group</command> <optional><replaceable>GROUP</replaceable>…</optional></term>
	161
	162	<listitem><para>List users that are members of the specified groups. If no groups are specified list
	163	all user/group memberships defined. Use <option>--output=</option> to tweak output
	164	mode.</para></listitem>
	165	</varlistentry>
	166
	167	<varlistentry>
	168	<term><command>groups-of-user</command> <optional><replaceable>USER</replaceable>…</optional></term>
	169
	170	<listitem><para>List groups that the specified users are members of. If no users are specified list
	171	all user/group memberships defined (in this case <command>groups-of-user</command> and
	172	<command>users-in-group</command> are equivalent). Use <option>--output=</option> to tweak output
	173	mode.</para></listitem>
	174	</varlistentry>
	175
	176	<varlistentry>
177	<term><command>services</command></term>
178
179	<listitem><para>List all services currently providing user/group definitions to the system. See below
180	for a list of well-known services providing user information.</para></listitem>
181	</varlistentry>
182
183	<varlistentry>
184	<term><command>ssh-authorized-keys</command></term>
185
186	<listitem><para>This operation is not a public, user-facing interface. It is used to allow the SSH daemon to pick
187	up authorized keys from user records, see below.</para></listitem>
188	</varlistentry>
189	</variablelist>
190	</refsect1>
191
192	<refsect1>
193	<title>Well-Known Services</title>
194
195	<para>The <command>userdbctl services</command> command will list all currently running services that
e9dd6984 ZJS	196	provide user or group definitions to the system. The following well-known services are shown among
e9dd6984 ZJS	197	this list:</para>
3b2db6f1 LP	198
3b2db6f1 LP	199	<variablelist>
3b2db6f1 LP	200	<varlistentry>
	201	<term><constant>io.systemd.DynamicUser</constant></term>
	202
	203	<listitem><para>This service is provided by the system service manager itself (i.e. PID 1) and
	204	makes all users (and their groups) synthesized through the <varname>DynamicUser=</varname> setting in
	205	service unit files available to the system (see
	206	<citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry> for
	207	details about this setting).</para></listitem>
	208	</varlistentry>
	209
	210	<varlistentry>
	211	<term><constant>io.systemd.Home</constant></term>
	212
	213	<listitem><para>This service is provided by
	214	<citerefentry><refentrytitle>systemd-homed.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
	215	and makes all users (and their groups) belonging to home directories managed by that service
	216	available to the system.</para></listitem>
	217	</varlistentry>
	218
4c2cf157 LP	219	<varlistentry>
	220	<term><constant>io.systemd.Machine</constant></term>
	221
	222	<listitem><para>This service is provided by
	223	<citerefentry><refentrytitle>systemd-machined.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
	224	and synthesizes records for all users/groups used by a container that employs user
	225	namespacing.</para></listitem>
	226	</varlistentry>
	227
3b2db6f1 LP	228	<varlistentry>
	229	<term><constant>io.systemd.Multiplexer</constant></term>
	230
	231	<listitem><para>This service is provided by
	232	<citerefentry><refentrytitle>systemd-userdbd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
	233	and multiplexes user/group look-ups to all other running lookup services. This is the primary entry point
	234	for user/group record clients, as it simplifies client side implementation substantially since they
	235	can ask a single service for lookups instead of asking all running services in parallel.
	236	<command>userdbctl</command> uses this service preferably, too, unless <option>--with-nss=</option>
	237	or <option>--service=</option> are used, in which case finer control over the services to talk to is
	238	required.</para></listitem>
	239	</varlistentry>
	240
	241	<varlistentry>
afe6a9c4	242	<term><constant>io.systemd.NameServiceSwitch</constant></term>
3b2db6f1 LP	243
	244	<listitem><para>This service is (also) provided by
	245	<citerefentry><refentrytitle>systemd-userdbd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
	246	and converts classic NSS/glibc user and group records to JSON user/group records, providing full
	247	backwards compatibility. Use <option>--with-nss=no</option> to disable this compatibility, see
	248	above. Note that compatibility is actually provided in both directions:
	249	<citerefentry><refentrytitle>nss-systemd</refentrytitle><manvolnum>8</manvolnum></citerefentry> will
	250	automatically synthesize classic NSS/glibc user/group records from all JSON user/group records
	251	provided to the system, thus using both APIs is mostly equivalent and provides access to the same
	252	data, however the NSS/glibc APIs necessarily expose a more reduced set of fields
	253	only.</para></listitem>
	254	</varlistentry>
c96a3012 LP	255
	256	<varlistentry>
	257	<term><constant>io.systemd.DropIn</constant></term>
	258
	259	<listitem><para>This service is (also) provided by
	260	<citerefentry><refentrytitle>systemd-userdbd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
	261	and picks up JSON user/group records from <filename>/etc/userdb/</filename>,
	262	<filename>/run/userdb/</filename>, <filename>/run/host/userdb/</filename>,
be0d27ee	263	<filename>/usr/lib/userdb/</filename>.</para></listitem>
c96a3012 LP	264	</varlistentry>
c96a3012 LP	265
3b2db6f1 LP	266	</variablelist>
	267
	268	<para>Note that <command>userdbctl</command> has internal support for NSS-based lookups too. This means
	269	that if neither <constant>io.systemd.Multiplexer</constant> nor
afe6a9c4	270	<constant>io.systemd.NameServiceSwitch</constant> are running look-ups into the basic user/group
3b2db6f1 LP	271	databases will still work.</para>
	272	</refsect1>
	273
	274	<refsect1>
	275	<title>Integration with SSH</title>
	276
	277	<para>The <command>userdbctl</command> tool may be used to make the list of SSH authorized keys possibly
	278	contained in a user record available to the SSH daemon for authentication. For that configure the
	279	following in <citerefentry
62641751	280	project='die-net'><refentrytitle>sshd_config</refentrytitle><manvolnum>5</manvolnum></citerefentry>:</para>
3b2db6f1 LP	281
	282	<programlisting>…
	283	AuthorizedKeysCommand /usr/bin/userdbctl ssh-authorized-keys %u
	284	AuthorizedKeysCommandUser root
	285	…</programlisting>
	286	</refsect1>
	287
	288	<refsect1>
	289	<title>Exit status</title>
	290
	291	<para>On success, 0 is returned, a non-zero failure code otherwise.</para>
	292	</refsect1>
	293
4ef3ca34	294	<xi:include href="common-variables.xml" />
3b2db6f1 LP	295
	296	<refsect1>
	297	<title>See Also</title>
	298	<para>
	299	<citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
	300	<citerefentry><refentrytitle>systemd-userdbd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
	301	<citerefentry><refentrytitle>systemd-homed.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
	302	<citerefentry><refentrytitle>nss-systemd</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
	303	<citerefentry project='man-pages'><refentrytitle>getent</refentrytitle><manvolnum>1</manvolnum></citerefentry>
	304	</para>
	305	</refsect1>
	306
	307	</refentry>