--- /dev/null
+<?xml version='1.0'?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
+ "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
+<!-- SPDX-License-Identifier: LGPL-2.1+ -->
+
+<refentry id="userdbctl" conditional='ENABLE_USERDB'
+ xmlns:xi="http://www.w3.org/2001/XInclude">
+
+ <refentryinfo>
+ <title>userdbctl</title>
+ <productname>systemd</productname>
+ </refentryinfo>
+
+ <refmeta>
+ <refentrytitle>userdbctl</refentrytitle>
+ <manvolnum>1</manvolnum>
+ </refmeta>
+
+ <refnamediv>
+ <refname>userdbctl</refname>
+ <refpurpose>Inspect users, groups and group memberships</refpurpose>
+ </refnamediv>
+
+ <refsynopsisdiv>
+ <cmdsynopsis>
+ <command>userdbctl</command>
+ <arg choice="opt" rep="repeat">OPTIONS</arg>
+ <arg choice="req">COMMAND</arg>
+ <arg choice="opt" rep="repeat">NAME</arg>
+ </cmdsynopsis>
+ </refsynopsisdiv>
+
+ <refsect1>
+ <title>Description</title>
+
+ <para><command>userdbctl</command> may be used to inspect user and groups (as well as group memberships)
+ of the system. This client utility inquires user/group information provided by various system services,
+ both operating on JSON user/group records (as defined by the <ulink
+ url="https://systemd.io/USER_RECORD">JSON User Record</ulink> and <ulink
+ url="https://systemd.io/GROUP_RECORD">JSON Group Record</ulink> definitions), and classic UNIX NSS/glibc
+ user and group records. This tool is primarily a client to the <ulink
+ url="https://systemd.io/USER_GROUP_API">User/Group Record Lookup API via Varlink</ulink>.</para>
+ </refsect1>
+
+ <refsect1>
+ <title>Options</title>
+
+ <para>The following options are understood:</para>
+
+ <variablelist>
+
+ <varlistentry>
+ <term><option>--output=</option><replaceable>MODE</replaceable></term>
+
+ <listitem><para>Choose the output mode, takes one of <literal>classic</literal>,
+ <literal>friendly</literal>, <literal>table</literal>, <literal>json</literal>. If
+ <literal>classic</literal>, an output very close to the format of <filename>/etc/passwd</filename> or
+ <filename>/etc/group</filename> is generated. If <literal>friendly</literal> a more comprehensive and
+ user friendly, human readable output is generated; if <literal>table</literal> a minimal, tabular
+ output is generated; if <literal>json</literal> a JSON formatted output is generated. Defaults to
+ <literal>friendly</literal> if a user/group is specified on the command line,
+ <literal>table</literal> otherwise.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>--service=</option><replaceable>SERVICE</replaceable><optional>:<replaceable>SERVICE…</replaceable></optional></term>
+ <term><option>-s</option> <replaceable>SERVICE</replaceable>:<replaceable>SERVICE…</replaceable></term>
+
+ <listitem><para>Controls which services to query for users/groups. Takes a list of one or more
+ service names, separated by <literal>:</literal>. See below for a list of well-known service
+ names. If not specified all available services are queried at once.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>--with-nss=</option><replaceable>BOOL</replaceable></term>
+
+ <listitem><para>Controls whether to include classic glibc/NSS user/group lookups in the output. If
+ <option>--with-nss=no</option> is used any attempts to resolve or enumerate users/groups provided
+ only via glibc NSS is suppressed. If <option>--with-nss=yes</option> is specified such users/groups
+ are included in the output (which is the default).</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>--synthesize=</option><replaceable>BOOL</replaceable></term>
+
+ <listitem><para>Controls whether to synthesize records for the root and nobody users/groups if they
+ aren't defined otherwise. By default (or <literal>yes</literal>) such records are implicitly
+ synthesized if otherwise missing since they have special significance to the OS. When
+ <literal>no</literal> this synthesizing is turned off.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>-N</option></term>
+
+ <listitem><para>This option is short for <option>--with-nss=no</option>
+ <option>--synthesize=no</option>. Use this option to show only records that are natively defined as
+ JSON user or group records, with all NSS/glibc compatibility and all implicit synthesis turned
+ off.</para></listitem>
+ </varlistentry>
+
+ <xi:include href="standard-options.xml" xpointer="no-pager" />
+ <xi:include href="standard-options.xml" xpointer="no-legend" />
+ <xi:include href="standard-options.xml" xpointer="help" />
+ <xi:include href="standard-options.xml" xpointer="version" />
+ </variablelist>
+ </refsect1>
+
+ <refsect1>
+ <title>Commands</title>
+
+ <para>The following commands are understood:</para>
+
+ <variablelist>
+
+ <varlistentry>
+ <term><command>user</command> <optional><replaceable>USER</replaceable>…</optional></term>
+
+ <listitem><para>List all known users records or show details of one or more specified user
+ records. Use <option>--output=</option> to tweak output mode.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>group</command> <optional><replaceable>GROUP</replaceable>…</optional></term>
+
+ <listitem><para>List all known group records or show details of one or more specified group
+ records. Use <option>--output=</option> to tweak output mode.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>users-in-group</command> <optional><replaceable>GROUP</replaceable>…</optional></term>
+
+ <listitem><para>List users that are members of the specified groups. If no groups are specified list
+ all user/group memberships defined. Use <option>--output=</option> to tweak output
+ mode.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>groups-of-user</command> <optional><replaceable>USER</replaceable>…</optional></term>
+
+ <listitem><para>List groups that the specified users are members of. If no users are specified list
+ all user/group memberships defined (in this case <command>groups-of-user</command> and
+ <command>users-in-group</command> are equivalent). Use <option>--output=</option> to tweak output
+ mode.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>services</command></term>
+
+ <listitem><para>List all services currently providing user/group definitions to the system. See below
+ for a list of well-known services providing user information.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><command>ssh-authorized-keys</command></term>
+
+ <listitem><para>This operation is not a public, user-facing interface. It is used to allow the SSH daemon to pick
+ up authorized keys from user records, see below.</para></listitem>
+ </varlistentry>
+ </variablelist>
+ </refsect1>
+
+ <refsect1>
+ <title>Well-Known Services</title>
+
+ <para>The <command>userdbctl services</command> command will list all currently running services that
+ provide user or group definitions to the system. The following are well-known services are shown among
+ this list.</para>
+
+ <variablelist>
+
+ <varlistentry>
+ <term><constant>io.systemd.DynamicUser</constant></term>
+
+ <listitem><para>This service is provided by the system service manager itself (i.e. PID 1) and
+ makes all users (and their groups) synthesized through the <varname>DynamicUser=</varname> setting in
+ service unit files available to the system (see
+ <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry> for
+ details about this setting).</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><constant>io.systemd.Home</constant></term>
+
+ <listitem><para>This service is provided by
+ <citerefentry><refentrytitle>systemd-homed.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
+ and makes all users (and their groups) belonging to home directories managed by that service
+ available to the system.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><constant>io.systemd.Multiplexer</constant></term>
+
+ <listitem><para>This service is provided by
+ <citerefentry><refentrytitle>systemd-userdbd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
+ and multiplexes user/group look-ups to all other running lookup services. This is the primary entry point
+ for user/group record clients, as it simplifies client side implementation substantially since they
+ can ask a single service for lookups instead of asking all running services in parallel.
+ <command>userdbctl</command> uses this service preferably, too, unless <option>--with-nss=</option>
+ or <option>--service=</option> are used, in which case finer control over the services to talk to is
+ required.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><constant>io.systemd.NameSeviceSwitch</constant></term>
+
+ <listitem><para>This service is (also) provided by
+ <citerefentry><refentrytitle>systemd-userdbd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
+ and converts classic NSS/glibc user and group records to JSON user/group records, providing full
+ backwards compatibility. Use <option>--with-nss=no</option> to disable this compatibility, see
+ above. Note that compatibility is actually provided in both directions:
+ <citerefentry><refentrytitle>nss-systemd</refentrytitle><manvolnum>8</manvolnum></citerefentry> will
+ automatically synthesize classic NSS/glibc user/group records from all JSON user/group records
+ provided to the system, thus using both APIs is mostly equivalent and provides access to the same
+ data, however the NSS/glibc APIs necessarily expose a more reduced set of fields
+ only.</para></listitem>
+ </varlistentry>
+ </variablelist>
+
+ <para>Note that <command>userdbctl</command> has internal support for NSS-based lookups too. This means
+ that if neither <constant>io.systemd.Multiplexer</constant> nor
+ <constant>io.systemd.NameSeviceSwitch</constant> are running look-ups into the the basic user/group
+ databases will still work.</para>
+ </refsect1>
+
+ <refsect1>
+ <title>Integration with SSH</title>
+
+ <para>The <command>userdbctl</command> tool may be used to make the list of SSH authorized keys possibly
+ contained in a user record available to the SSH daemon for authentication. For that configure the
+ following in <citerefentry
+ project='openssh'><refentrytitle>sshd_config</refentrytitle><manvolnum>5</manvolnum></citerefentry>:</para>
+
+ <programlisting>…
+AuthorizedKeysCommand /usr/bin/userdbctl ssh-authorized-keys %u
+AuthorizedKeysCommandUser root
+…</programlisting>
+ </refsect1>
+
+ <refsect1>
+ <title>Exit status</title>
+
+ <para>On success, 0 is returned, a non-zero failure code otherwise.</para>
+ </refsect1>
+
+ <xi:include href="less-variables.xml" />
+
+ <refsect1>
+ <title>See Also</title>
+ <para>
+ <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>systemd-userdbd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>systemd-homed.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>nss-systemd</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
+ <citerefentry project='man-pages'><refentrytitle>getent</refentrytitle><manvolnum>1</manvolnum></citerefentry>
+ </para>
+ </refsect1>
+
+</refentry>
projects / thirdparty / systemd.git / commitdiff
