The materials have been updated.
New materials:
- passwd.1.txt
Updated materials:
- nsswitch.conf.4.txt
- the actual proposal (see nssad-details.txt)
Diffs:
------- nsswitch.conf.4.txt -------
--- /tmp/sccs.NSaWCI Wed Jul 23 19:28:15 2008
+++ nsswitch.conf.4.txt Wed Jul 23 19:19:03 2008
@@ -1,5 +1,7 @@
File Formats nsswitch.conf(4)
+
+
NAME
nsswitch.conf - configuration file for the name service
switch
@@ -7,6 +9,7 @@
SYNOPSIS
/etc/nsswitch.conf
+
DESCRIPTION
The operating system uses a number of databases of informa-
tion about hosts, ipnodes, users (passwd(4), shadow(4), and
@@ -17,8 +20,11 @@
database; the sources and their lookup order are specified
in the /etc/nsswitch.conf file.
+
The following databases use the switch file:
+
+
Database Used By
aliases sendmail(1M)
auth_attr getauthnam(3SECDB)
@@ -48,10 +54,12 @@
rpc getrpcbyname(3NSL)
services getservbyname(3SOCKET).
See Interaction with netconfig.
- user_attr getuserattr(3SECDB)
+
The following sources may be used:
+
+
Source Uses
files /etc/hosts, /etc/passwd,
/etc/inet/ipnodes, /etc/shadow,
@@ -74,9 +82,12 @@
ments support for
${HOME}/.printers.
+
+
Note that /etc/inet/ipnodes is a symbolic link to
/etc/hosts.
+
There is an entry in /etc/nsswitch.conf for each database.
Typically these entries will be simple, such as protocols:
files or networks: files nisplus. However, when multiple
@@ -85,6 +96,7 @@
tried. A source can return one of the following codes:
+
Status Meaning
SUCCESS Requested database entry was found.
UNAVAIL Source is not configured on this
@@ -93,16 +105,22 @@
TRYAGAIN Source is busy or not responding,
might respond to retries.
+
For each status code, two actions are possible:
+
Action Meaning
continue Try the next source in the list.
return Return now.
+
+
Additionally, for TRYAGAIN only, the following actions are
possible:
+
+
Action Meaning
forever Retry the current source forever.
n Retry the current source n more
@@ -116,6 +134,7 @@
TRYAGAIN=n is restored.
+
The complete syntax of an entry is:
<entry> ::= <database> ":" [<source> [<criteria>]]*
@@ -123,15 +142,20 @@
<criterion> ::= <status> "=" <action>
<status> ::= "success" | "notfound" | "unavail" | "tryagain"
+
+
For every status except TRYAGAIN, the action syntax is:
<action> ::= "return" | "continue"
+
+
For the TRYAGAIN status, the action syntax is:
<action> ::= "return" | "continue" | "forever" | <n>
<n> ::= 0...MAX_INT
+
Each entry occupies a single line in the file. Lines that
are blank, or that start with white space, are ignored.
Everything on a line following a # character is also
@@ -140,18 +164,22 @@
are case-sensitive, but <action> and <status> names are
case-insensitive.
+
The library functions contain compiled-in default entries
that are used if the appropriate entry in nsswitch.conf is
absent or syntactically incorrect.
+
The default criteria for DNS and the NIS server in "DNS-
forwarding mode" is [SUCCESS=return NOTFOUND=continue
UNAVAIL=continue TRYAGAIN=3].
+
The default criteria for all other sources is
[SUCCESS=return NOTFOUND=continue UNAVAIL=continue
TRYAGAIN=forever].
+
The default, or explicitly specified, criteria are meaning-
less following the last source in an entry; and they are
ignored, since the action is always to return to the caller
@@ -185,6 +213,7 @@
DNS lookups; dns need not be specified explicitly as a
source.
+
In SunOS 5.3 (Solaris 2.3) and compatible versions, the NIS+
server in NIS/YP-compatibility mode can also be run in DNS-
forwarding mode (see rpc.nisd(1M)). Forwarding is effective
@@ -198,18 +227,28 @@
passwd: files
+
passwd: files nis
+
passwd: files nisplus
+
passwd: files ldap
+
passwd: compat
+
passwd_compat: nisplus
+
passwd_compat: ldap
+
+
++ Adding 'ad' to the configurations listed above is supported
++ though changing AD users' passwords through passwd(1) is not.
Any other settings will cause the passwd(1) command to fail
when it attempts to change the password after expiration and
will prevent the user from logging in. These are the only
@@ -234,6 +273,7 @@
/etc/passwd and /etc/shadow (the latter is a new addition to
SunOS 5.0, see shadow(4)).
+
If this is not sufficient, the NIS/YP compatibility source
provides full +/- semantics. It reads /etc/passwd for
getpwnam(3C) functions and /etc/shadow for getspnam(3C)
@@ -242,9 +282,11 @@
overridden by specifying nisplus or ldap as the source for
the pseudo-database passwd_compat.
+
Note that in compat mode, for every /etc/passwd entry, there
must be a corresponding entry in the /etc/shadow file.
+
The NIS/YP compatibility source also provides full +/-
semantics for group; the relevant pseudo-database is
group_compat.
@@ -256,42 +298,62 @@
passwd: files nis
+
group: files nis
+
hosts: nis [NOTFOUND=return] files
+
ipnodes: nis [NOTFOUND=return] files
+
networks: nis [NOTFOUND=return] files
+
protocols: nis [NOTFOUND=return] files
+
rpc: nis [NOTFOUND=return] files
+
ethers: nis [NOTFOUND=return] files
+
netmasks: nis [NOTFOUND=return] files
+
bootparams: nis [NOTFOUND=return] files
+
publickey: nis [NOTFOUND=return] files
+
netgroup: nis
+
automount: files nis
+
aliases: files nis
+
services: files nis
+
printers: user files nis nisplus
+
auth_attr files nis
+
prof_attr files nis
+
project files nis
+
+
Note that the files source for the ipnodes and hosts data-
bases is identical, as /etc/inet/ipnodes is a symbolic link
to /etc/hosts. Because other sources for the ipnodes and
@@ -298,6 +360,7 @@
hosts databases are different, do not remove the ipnodes
line from the /etc/nsswitch.conf file.
+
The policy nis [NOTFOUND=return] files implies: if nis is
UNAVAIL, continue on to files, and if nis returns NOTFOUND,
return to the caller. In other words, treat nis as the
@@ -306,13 +369,17 @@
configuration above, are identical to the hard-wired poli-
cies in SunOS releases prior to 5.0.
+
If compatibility with the +/- syntax for passwd and group is
required, simply modify the entries for passwd and group to:
passwd: compat
+
group: compat
+
+
If NIS+ is the enterprise level name service, the default
configuration should be modified to use nisplus instead of
nis for every database on client machines. The file
@@ -319,6 +386,7 @@
/etc/nsswitch.nisplus contains a sample configuration that
can be copied to /etc/nsswitch.conf to set this policy.
+
If LDAP is the enterprise level name service, the default
configuration should be modified to use ldap instead of nis
for every database on client machines. The file
@@ -325,22 +393,26 @@
/etc/nsswitch.ldap contains a sample configuration that can
be copied to /etc/nsswitch.conf to set this policy.
-+ When using Active Directory with native schema for name service,
-+ the default configuration should be modified to use ad for
-+ for passwd and group, dns for hosts resolution and files
-+ for the remaining databases on client machines.
++ When using Active Directory dns is required for hosts
++ resolution.
++
If the use of +/- syntax is desired in conjunction with
nisplus, use the following four entries:
passwd: compat
+
passwd_compat: nisplus OR ldap
+
group: compat
+
group_compat: nisplus OR ldap
+
+
In order to get information from the Internet Domain Name
Service for hosts that are not listed in the enterprise
level name service, NIS+ or LDAP, use the following confi-
@@ -353,6 +425,7 @@
hosts: ldap dns [NOTFOUND=return] files
+
Enumeration - getXXXent()
Many of the databases have enumeration functions: passwd has
getpwent(), hosts has gethostent(), and so on. These were
@@ -374,6 +447,7 @@
interleave calls, they will enumerate disjoint subsets of
the same database.
+
In general, the use of the enumeration functions is depre-
cated. In the case of passwd, shadow, and group, it may
sometimes be appropriate to use fgetgrent(), fgetpwent(),
@@ -387,48 +461,65 @@
/etc/nsswitch.conf Configuration file.
+
/usr/lib/nss_compat.so.1 Implements compat source.
+
/usr/lib/nss_dns.so.1 Implements dns source.
+
/usr/lib/nss_files.so.1 Implements files source.
+
/usr/lib/nss_mdns.so.1 Implements mdns source.
+
/usr/lib/nss_nis.so.1 Implements nis source.
+
/usr/lib/nss_nisplus.so.1 Implements nisplus source.
+
/usr/lib/nss_ldap.so.1 Implements ldap source.
-+ /usr/lib/nss_ad.so.1 Implements ad source.
++ /usr/lib/nss_ad.so.1 Implements ad source.
++
++
/usr/lib/nss_user.so.1 Implements user source.
+
/etc/netconfig Configuration file for
netdir(3NSL) functions that
redirects hosts/devices policy
to the switch.
+
/etc/nsswitch.files Sample configuration file that
uses files only.
+
/etc/nsswitch.nis Sample configuration file that
uses files and nis.
+
/etc/nsswitch.nisplus Sample configuration file that
uses files and nisplus.
+
/etc/nsswitch.ldap Sample configuration file that
uses files and ldap.
- /etc/nsswitch.ad Sample configuration file that
- uses files and ad.
++ /etc/nsswitch.ad Sample configuration file that
++ uses files and ad.
++
++
/etc/nsswitch.dns Sample configuration file that
uses files, dns and mdns (dns
and mdns only for hosts).
+
SEE ALSO
ldap(1), newtask(1), NIS+(1), passwd(1), automount(1M),
ifconfig(1M), mdnsd(1M), rpc.bootparamd(1M), rpc.nisd(1M),
@@ -451,6 +542,7 @@
is read only once; if the file is later changed, the process
will continue using the old configuration.
+
The use of both nis and nisplus as sources for the same
database is strongly discouraged since both the name ser-
vices are expected to store similar information and the
@@ -457,16 +549,17 @@
lookups on the database may yield different results depend-
ing on which name service is operational at the time of the
request. The same applies for using ldap along with nis or
- nisplus. The same applies for using ldap along with ad
- when ldap is used with schema mapping with an Active
- Directory domain.
+- nisplus.
++ nisplus. The same applies for using ldap along with ad
++ when ldap is used with schema mapping with an Active
++ Directory domain.
+
Misspelled names of sources and databases will be treated as
legitimate names of (most likely nonexistent) sources and
databases.
+
The following functions do not use the switch:
fgetgrent(3C), fgetprojent(3PROJECT), fgetpwent(3C),
fgetspent(3C), getpw(3C), putpwent(3C), shadow(4).
-
- SunOS 5.11 Last change: 21 Aug 2007 11
--- nssad-details.txt-orig Jul 23 19:22:48 2008
+++ nssad-details.txt Wed Jul 23 19:25:14 2008
@@ -2,10 +2,10 @@
1. Introduction
1.1. Project/Component Working Name:
- NSS_AD: Name Service Module for AD
+ NSSAD: Name Service Module for AD
1.2. Name of Document Author/Supplier:
Author: Baban Kenkre
- 1.3 Date:
+ 1.3 Date of This Document:
11 July, 2008
@@ -115,8 +115,38 @@
get{pw,gr}{nam,uid,gid}() to do the same.
-7. Mapping to passwd(4) and shadow(4)
+7. Password Updates
+ passwd(1) manpage contains a list of valid password update
+ configurations for the passwd entry in nsswitch.conf(4) file. Adding
+ 'ad' to these configurations will be supported though changing AD
+ users' passwords through passwd(1) won't be supported. 'ad' will be
+ skipped if found in the passwd entry during password update. AD
+ users' passwords can be updated using kpasswd(1) command. passwd(1)
+ and nsswitch.conf(4) manpages as well as the Solaris Admin Guide will
+ be updated to reflect this.
+
+
+8. Other consumers of passwd entry
+
+ As mentioned previously "ad" can be added to any of the existing
+ valid passwd and group entries in nsswitch.conf.
+
+ Examples:
+ passwd: files ad OR
+ passwd: files ldap ad
+
+ This allows consumers of get{pw|gr}{nam|uid|gid} to resolve Windows
+ names and ephemeral IDs. Other name service databases such as
+ audit_user(4) and user_attr(4) that follow passwd entry in
+ nsswitch.conf will not be affected by the additional backend in the
+ passwd entry. This backend will be processed (based on the
+ configuration) and if it's 'ad' then it will return NOTFOUND because
+ RBAC is not yet suppported by AD.
+
+
+9. Mapping to passwd(4) and shadow(4)
+
Mapping of Windows user to passwd(4) form will be done as follows:
o The Windows's user object belongs to objectClass "user".
@@ -160,7 +190,7 @@
because shadow fields are irrevalent with AD and krb5.
-8. Mapping to group(4)
+10. Mapping to group(4)
Mapping of Windows group to group(4) form will be done as follows:
@@ -184,9 +214,9 @@
object does not contain the group's password.
-9. Relevant ARC cases and CRs
+11. Relevant ARC cases and CRs
- o 6722476 name service switch module for AD (nss_ad) needed
+ o 6722476 name service switch module for AD (nssad) needed
o PSARC/2006/315 Winchester:ID Mapping service
@@ -199,7 +229,7 @@
o PSARC/2008/342 Further SID support
-10. Supporting Documents
+12. Supporting Documents
+---------------------+-----------------------------------+
| Filename | Description |
@@ -207,13 +237,17 @@
| ad.5.txt | ad(5) manpage |
| | |
| nsswitch.conf.4.txt | Modified nsswitch.conf(4) manpage |
+ | | |
+ | passwd.1.txt | Modified passwd(1) manpage |
+---------------------+-----------------------------------+
- In addition to the above the Solaris admin guide will include a
- chapter on AD name service in Solaris.
+ In addition to the above the Solaris Admin Guide will include (i) a
+ chapter on nss_ad and (ii) the Naming and Directory services (DNS,
+ NIS, and LDAP) chapter will be modified to clarify the password
+ update issue related to AD users.
-11. References
+13. References
[1] "Well-Known SIDs", <http://support.microsoft.com/kb/243330>.
