Warning: jsMath requires JavaScript to process the mathematics on this page.
If your browser supports JavaScript, be sure it is enabled.

libnss-afs

A Name Service Switch (NSS) plugin is a shared library used by glibc to — among other things — translate between usernames and numeric userids and between group names and numeric groupids.

The libnss-afs library is an NSS plugin which answers these queries using the information stored in the AFS ptserver, avoiding the need to duplicate (and update) this information in /etc/passwd or LDAP. The library also synthesizes the name AfsPag-XXXX for the fake group ids that are used to represent AFS PAGs.

For an example of how to integrate this with Kerberos, PAM, SSH, nscd, and the OpenAFS client, please see HCoop's New Machine Setup page.

Getting It

You can retrieve libnss-afs from its git repository or directly out of AFS:

/afs/hcoop.net/user/m/me/megacz/public/libnss-afs/

Install the debian package and put these lines in /etc/nsswitch.conf:

passwd: afs compat
group: afs compat

History

libnss-afs was derived from Frank Burkhardt's libnss-ptdb, which was in turn derived from Todd M. Lewis's nss_pts.

Unlike libnss-ptdb, the new library requires no daemon process. Unlike nss_pts, the new library performs proper pthreads-locking around the thread-unsafe AFS libraries. Perhaps most importantly of all, libnss-afs is only 286 lines of code in a single file, making it easier to review for correctness and robustness.

libnss-afs also includes the functionality provided by nss_afspag. This functionality is integrated directly into libnss_afs.so rather than being in a separate library, and has been updated to the new Linux 2.6 PAG numbering scheme. It also includes a fix for a bug which would cause nscd to crash.

Advice

It is strongly recommended that you run nscd to cache the replies from ptserver.

There is a known bug in nscd which may cause it to crash. It seems that libnss-afs increases the probability of triggering this bug. To avoid this, you must put this line in /etc/nscd.conf:

enable-cache hosts no

Known Issues/Bugs

Strange behaviors such as very slow logins and incorrect home directories have been observed when a given username has an entry in both /etc/passwd and in pts. It is strongly recommended that you ensure that no user appear in both places.

To Do

In the transition from libnss-ptdb to libnss-afs, all configuration options were removed. The majority of them are no longer necessary because there is no daemon, but I really need to add back in a way to choose the “homedir style” and “shell style”.

Currently these settings are hardwired, but can be changed with very simple edits to the source code:

If /etc/openafs/ThisCell is somecell.edu, then the home directory for user fred will be /afs/somecell.edu/user/f/fr/fred/.
If ~/.loginshell exists and is a symlink, then whatever it points to is the user's shell. If the link does not exist, or any errors are encountered, the user's shell is /bin/bash.

Hopefully there is a way to put some options in /etc/nsswitch.conf for this in order to avoid creating new configuration files.