1 <?xml version='
1.0'
?> <!--*-nxml-*-->
2 <!DOCTYPE refentry PUBLIC
"-//OASIS//DTD DocBook XML V4.5//EN"
3 "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
4 <!-- SPDX-License-Identifier: LGPL-2.1+ -->
6 <refentry id=
"nss-systemd" conditional='ENABLE_NSS_SYSTEMD'
>
9 <title>nss-systemd
</title>
10 <productname>systemd
</productname>
14 <refentrytitle>nss-systemd
</refentrytitle>
15 <manvolnum>8</manvolnum>
19 <refname>nss-systemd
</refname>
20 <refname>libnss_systemd.so
.2</refname>
21 <refpurpose>UNIX user and group name resolution for user/group lookup via Varlink
</refpurpose>
25 <para><filename>libnss_systemd.so
.2</filename></para>
29 <title>Description
</title>
31 <para><command>nss-systemd
</command> is a plug-in module for the GNU Name Service Switch (NSS)
32 functionality of the GNU C Library (
<command>glibc
</command>), providing UNIX user and group name
33 resolution for services implementing the
<ulink url=
"https://systemd.io/USER_GROUP_API">User/Group Record
34 Lookup API via Varlink
</ulink>, such as the system and service manager
35 <citerefentry><refentrytitle>systemd
</refentrytitle><manvolnum>1</manvolnum></citerefentry> (for its
36 <varname>DynamicUser=
</varname> feature, see
37 <citerefentry><refentrytitle>systemd.exec
</refentrytitle><manvolnum>5</manvolnum></citerefentry> for
39 <citerefentry><refentrytitle>systemd-homed.service
</refentrytitle><manvolnum>8</manvolnum></citerefentry>, or
<citerefentry><refentrytitle>systemd-machined.service
</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
</para>
41 <para>This module also ensures that the root and nobody users and groups (i.e. the users/groups with the UIDs/GIDs
42 0 and
65534) remain resolvable at all times, even if they aren't listed in
<filename>/etc/passwd
</filename> or
43 <filename>/etc/group
</filename>, or if these files are missing.
</para>
45 <para>This module preferably utilizes
46 <citerefentry><refentrytitle>systemd-userdbd.service
</refentrytitle><manvolnum>8</manvolnum></citerefentry>
47 for resolving users and groups, but also works without the service running.
</para>
49 <para>To activate the NSS module, add
<literal>systemd
</literal> to the lines starting with
50 <literal>passwd:
</literal> and
<literal>group:
</literal> in
<filename>/etc/nsswitch.conf
</filename>.
</para>
52 <para>It is recommended to place
<literal>systemd
</literal> after the
<literal>files
</literal> or
53 <literal>compat
</literal> entry of the
<filename>/etc/nsswitch.conf
</filename> lines so that
54 <filename>/etc/passwd
</filename> and
<filename>/etc/group
</filename> based mappings take precedence.
</para>
58 <title>Configuration in
<filename>/etc/nsswitch.conf
</filename></title>
60 <para>Here is an example
<filename>/etc/nsswitch.conf
</filename> file that enables
61 <command>nss-systemd
</command> correctly:
</para>
63 <!-- synchronize with other nss-* man pages and factory/etc/nsswitch.conf -->
64 <programlisting>passwd: compat
<command>systemd
</command>
65 group: compat [SUCCESS=merge]
<command>systemd
</command>
68 hosts: mymachines resolve [!UNAVAIL=return] myhostname files dns
76 netgroup: nis
</programlisting>
81 <title>Example: Mappings provided by
<filename>systemd-machined.service
</filename></title>
83 <para>The container
<literal>rawhide
</literal> is spawned using
84 <citerefentry><refentrytitle>systemd-nspawn
</refentrytitle><manvolnum>1</manvolnum></citerefentry>:
87 <programlisting># systemd-nspawn -M rawhide --boot --network-veth --private-users=pick
88 Spawning container rawhide on /var/lib/machines/rawhide.
89 Selected user namespace base
20119552 and range
65536.
92 $ machinectl --max-addresses=
3
93 MACHINE CLASS SERVICE OS VERSION ADDRESSES
94 rawhide container systemd-nspawn fedora
30 169.254.40.164 fe80::
94aa:
3aff:fe7b:d4b9
96 $ getent passwd vu-rawhide-
0 vu-rawhide-
81
97 vu-rawhide-
0:*:
20119552:
65534:vu-rawhide-
0:/:/usr/sbin/nologin
98 vu-rawhide-
81:*:
20119633:
65534:vu-rawhide-
81:/:/usr/sbin/nologin
100 $ getent group vg-rawhide-
0 vg-rawhide-
81
101 vg-rawhide-
0:*:
20119552:
102 vg-rawhide-
81:*:
20119633:
104 $ ps -o user:
15,pid,tty,command -e|grep '^vu-rawhide'
105 vu-rawhide-
0 692 ? /usr/lib/systemd/systemd
106 vu-rawhide-
0 731 ? /usr/lib/systemd/systemd-journald
107 vu-rawhide-
192 734 ? /usr/lib/systemd/systemd-networkd
108 vu-rawhide-
193 738 ? /usr/lib/systemd/systemd-resolved
109 vu-rawhide-
0 742 ? /usr/lib/systemd/systemd-logind
110 vu-rawhide-
81 744 ? /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
111 vu-rawhide-
0 746 ? /usr/sbin/sshd -D ...
112 vu-rawhide-
0 752 ? /usr/lib/systemd/systemd --user
113 vu-rawhide-
0 753 ? (sd-pam)
114 vu-rawhide-
0 1628 ? login -- zbyszek
115 vu-rawhide-
1000 1630 ? /usr/lib/systemd/systemd --user
116 vu-rawhide-
1000 1631 ? (sd-pam)
117 vu-rawhide-
1000 1637 pts/
8 -zsh
122 <title>See Also
</title>
124 <citerefentry><refentrytitle>systemd
</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
125 <citerefentry><refentrytitle>systemd.exec
</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
126 <citerefentry><refentrytitle>nss-resolve
</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
127 <citerefentry><refentrytitle>nss-myhostname
</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
128 <citerefentry><refentrytitle>nss-mymachines
</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
129 <citerefentry><refentrytitle>systemd-userdbd.service
</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
130 <citerefentry><refentrytitle>systemd-homed.service
</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
131 <citerefentry><refentrytitle>systemd-machined.service
</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
132 <citerefentry project='man-pages'
><refentrytitle>nsswitch.conf
</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
133 <citerefentry project='man-pages'
><refentrytitle>getent
</refentrytitle><manvolnum>1</manvolnum></citerefentry>