libnss-db HOWTO
This mini-howto illustrate how to use libnss-db on a Ubuntu
Linux system.
Other installations should work to after adjusting package names and directory paths.
I myself use as a "serverless" lightweight user directory. Essentially, I mount the db directory and the home directory from an NFS server.
Package installation
Install the following packages:
apt install -y libnss-db make
This creates a directory /var/lib/misc in Ubuntu. Other distributions
this may be in /var/db.
Preparing nss-db data directory
I like to keep a separate set of users in the db files. For that, create a
directory /var/lib/misc/etc. This will contain the additional users and groups.
for f in passwd group shadow
do
cp -av /etc/$f /var/lib/misc/etc/$f
> /var/lib/misc/etc/$f
doneThis creates, passwd, group, and shadow files. NOTE: gshadow
is unsupported. This is only relevant if you are using passwords to
control user group changes.
Because in this scenario, we are using flat files (i.e. /etc/passwd vs.
/var/lib/misc/passwd.db) and db files, we want to not have uid/gid overlaps.
Copy /etc/login.defs to /var/lib/misc/etc/login.defs and
change UID_MIN,UID_MAX,GID_MIN,GID_MAX to a different space (so as not
to overlap with the flatfiles spaces).
When users are created with the useradd command, you can pass the
--prefix /var/lib/misc argument, so then it would create users in
the /var/lib/misc/etc directory (ignoring /etc) and would get
defaults from /var/lib/misc/etc/login.defs (instead of /etc/login.defs).
For /home directories to be created properly I create the symlink:
ln -s /home /var/lib/misc/homeI also like to add sudoers configuration to the /var/lib/misc directory (so
it can be shared via NFS)
cp -av /etc/sudoers.d $dbdirMoving nss-db data
If you are storing nss-db in a different location, you can use a mount --bind
to make it available in /var/lib/misc. This can be configured on /etc/fstab
as follows:
# /etc/fstab
/mount/point/dir /var/lib/misc none defaults,bind 0 0Configuring nss-db
In /var/lib/misc there is a Makefile that is used to create the relevant
db files. To control how this you can configure things in
/etc/default/libnss-db:
# /etc/default/libnss-db
# settings for libnss-db
# Directory where the databases are kept
VAR_DB = /var/lib/misc
# Location of files
ETC = $(VAR_DB)/etc
# Databases to generate
DBS = passwd group shadow
# Programs used
AWK = awk
MAKEDB = makedb --quietYou must also add the db setting to the /etc/nsswitch.conf lines
for passwd, group and shadow.
# Configure nsswitch.conf
sed -i~ \
-e 's/^\(passwd:[ \t]*\).*$/\1files systemd db/' \
-e 's/^\(group:[ \t]*\).*$/\1files systemd db/' \
-e 's/^\(shadow:[ \t]*\).*$/\1files db/' \
/etc/nsswitch.confThis is not strictly part of nss-db, but I like to add to /etc/sudoers
the line:
@includedir /var/lib/misc/sudoers.dFrom then on, adding, modifying and removing users/groups should be done
on the files in /var/lib/misc/etc. Afterwards, use make in /var/lib/misc
to recrate db files.
For convenience I created a script in /usr/local/bin named nssdb:
#!/bin/sh
#
# NSSDB command
#
nssdb_dir=/var/lib/misc
nssdb_opts="--prefix $nssdb_dir"
extra_group_add_opts="--key GID_MIN=13000 --key GID_MAX=13999"
if [ $# -eq 0 ] ; then
cat <<-_EOF_
Usage: $0 useradd|userdel|usermod|groupadd|groupdel|groupmod [options]
_EOF_
exit 1
fi
case "$1" in
useradd|userdel|usermod|groupdel|groupmod)
op="$1" ; shift
;;
groupadd)
op="$1" ; shift
nssdb_opts="$nssdb_opts $extra_group_add_opts"
;;
*) echo "$1: Unknown sub-command" ; exit 1
esac
"$op" $nssdb_opts "$@" && ( cd $nssdb_dir && make )What it does is that you can run:
nssdb useraddnssdb usermodnssdb userdelnssdb groupaddnssdb groupmodnssdb groupdel
This will run the specified commands but with --prefix option so these
will modify files in /var/lib/misc and the Makefile called accordingly.
Note the following commands can not be supported:
chfn: does not support--prefixor--rootoptions.chsh,passwd,newusers: only support--rootwhich requiresrootpriviledges.