3

On Linux and Unix-like systems the Name Service Switch is used to gather entries for the systems name databases.

There are databases such as files, dns, nis and ldap. Is it possible to determine for a given user which service was used to add that entry?

Must further information be gathered from the respective tools for those services or is there a standard set of information NSS gathers besides just a name?

Further how does PAM get credentials from NSS? Is it just the username? Is NSS used when PAM is authenticating over ldap? Does PAM call back to NSS? Is PAM even used in LSAP or other networked logins?

Can NSS be bypassed for some other system or is it heavily baked into the kernel?

jdwolf
  • 4,887
  • 1
  • 13
  • 28
  • Just a clarification of the terminology in order to avoid confusion: In [this context](https://jlk.fjfi.cvut.cz/arch/manpages/man/nsswitch.conf.5) a *database* is something like passwd, shadow, group, hosts, etc. and not a *name service* like files, dns, nis or ldap. Those are nss interfaces for different backends, which may not support all databases or lookup functions. – stefan0xC Mar 18 '20 at 09:02
  • Also checkout the answers to the question "[Understand PAM and NSS](https://serverfault.com/q/538383/346856)" for further clarification on the relationship between NSS and PAM: https://serverfault.com/a/538503/346856 – stefan0xC Mar 18 '20 at 09:04

1 Answers1

0

You can lookup a given entry in each service using getent, e.g.:

getent -s files passwd $USER
getent -s ldap  passwd $USER

"The order of the services on the line" in /etc/nsswitch.conf "determines the order in which those services will be queried, in turn, until a result is found." Thus, by checking each service you can check which service is responsible for a given entry.

stefan0xC
  • 1,508
  • 10
  • 20