nsswitch.conf: How does one use netgroups/over-ride passwd fields?

Dan Nelson dnelson at allantgroup.com
Mon Sep 27 11:06:34 PDT 2004

In the last episode (Sep 27), Tillman Hodgson said:
> I know that nsswitch.conf defaults to traditional behaviour (compat
> mode). The non-compat modes are intriguing, though, and I don't know
> much about them. So I thought I'd see if I can get traditional
> behaviour through the newer mechanisms. This might make migrations
> (for example) a bit easier.

They are basically serial lookups; if a user isn't found in the first
source, try the next, etc.  [notfound] allows for quick termination if
later sources are just fallback ones in case the primary doesn't
> passwd:   nis [notfound=return,netgroup=dept1,dept2,admins] files
> Possibly I'm missing a point somewhere :-) What is it about netgroups
> that don't make sense in an nsswitch.conf world?

I have only known them to be useful as part of +/- records; for example
to only allow matching users in the "access" netgroup log into a

+ at access::0:0:::

It may be that netgroup's real purpose is something else that I have
not yet discovered :)

	Dan Nelson
	dnelson at allantgroup.com

More information about the freebsd-questions mailing list