Index · Directives systemd 248


nss-systemd, — UNIX user and group name resolution for user/group lookup via Varlink



nss-systemd is a plug-in module for the GNU Name Service Switch (NSS) functionality of the GNU C Library (glibc), providing UNIX user and group name resolution for services implementing the User/Group Record Lookup API via Varlink, such as the system and service manager systemd(1) (for its DynamicUser= feature, see systemd.exec(5) for details), systemd-homed.service(8), or systemd-machined.service(8).

This module also ensures that the root and nobody users and groups (i.e. the users/groups with the UIDs/GIDs 0 and 65534) remain resolvable at all times, even if they aren't listed in /etc/passwd or /etc/group, or if these files are missing.

This module preferably utilizes systemd-userdbd.service(8) for resolving users and groups, but also works without the service running.

To activate the NSS module, add "systemd" to the lines starting with "passwd:" and "group:" in /etc/nsswitch.conf.

It is recommended to place "systemd" after the "files" or "compat" entry of the /etc/nsswitch.conf lines so that /etc/passwd and /etc/group based mappings take precedence.

Configuration in /etc/nsswitch.conf

Here is an example /etc/nsswitch.conf file that enables nss-systemd correctly:

passwd:         compat systemd
group:          compat [SUCCESS=merge] systemd
shadow:         compat

hosts:          mymachines resolve [!UNAVAIL=return] files myhostname dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

Example: Mappings provided by systemd-machined.service

The container "rawhide" is spawned using systemd-nspawn(1):

# systemd-nspawn -M rawhide --boot --network-veth --private-users=pick
Spawning container rawhide on /var/lib/machines/rawhide.
Selected user namespace base 20119552 and range 65536.

$ machinectl --max-addresses=3
rawhide container systemd-nspawn fedora 30 fe80::94aa:3aff:fe7b:d4b9

$ getent passwd vu-rawhide-0 vu-rawhide-81

$ getent group vg-rawhide-0 vg-rawhide-81

$ ps -o user:15,pid,tty,command -e|grep '^vu-rawhide'
vu-rawhide-0      692 ?        /usr/lib/systemd/systemd
vu-rawhide-0      731 ?        /usr/lib/systemd/systemd-journald
vu-rawhide-192    734 ?        /usr/lib/systemd/systemd-networkd
vu-rawhide-193    738 ?        /usr/lib/systemd/systemd-resolved
vu-rawhide-0      742 ?        /usr/lib/systemd/systemd-logind
vu-rawhide-81     744 ?        /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
vu-rawhide-0      746 ?        /usr/sbin/sshd -D ...
vu-rawhide-0      752 ?        /usr/lib/systemd/systemd --user
vu-rawhide-0      753 ?        (sd-pam)
vu-rawhide-0     1628 ?        login -- zbyszek
vu-rawhide-1000  1630 ?        /usr/lib/systemd/systemd --user
vu-rawhide-1000  1631 ?        (sd-pam)
vu-rawhide-1000  1637 pts/8    -zsh

See Also

systemd(1), systemd.exec(5), nss-resolve(8), nss-myhostname(8), nss-mymachines(8), systemd-userdbd.service(8), systemd-homed.service(8), systemd-machined.service(8), nsswitch.conf(5), getent(1)