libnss-db HOWTO

This mini-howto illustrate how to use libnss-db on a Ubuntu Linux system.

Other installations should work to after adjusting package names and directory paths.

I myself use as a "serverless" lightweight user directory. Essentially, I mount the db directory and the home directory from an NFS server.

Package installation

Install the following packages:

apt install -y libnss-db make

This creates a directory /var/lib/misc in Ubuntu. Other distributions this may be in /var/db.

Preparing nss-db data directory

I like to keep a separate set of users in the db files. For that, create a directory /var/lib/misc/etc. This will contain the additional users and groups.

for f in passwd group shadow
  cp -av /etc/$f /var/lib/misc/etc/$f
  >  /var/lib/misc/etc/$f

This creates, passwd, group, and shadow files. NOTE: gshadow is unsupported. This is only relevant if you are using passwords to control user group changes.

Because in this scenario, we are using flat files (i.e. /etc/passwd vs. /var/lib/misc/passwd.db) and db files, we want to not have uid/gid overlaps.

Copy /etc/login.defs to /var/lib/misc/etc/login.defs and change UID_MIN,UID_MAX,GID_MIN,GID_MAX to a different space (so as not to overlap with the flatfiles spaces).

When users are created with the useradd command, you can pass the --prefix /var/lib/misc argument, so then it would create users in the /var/lib/misc/etc directory (ignoring /etc) and would get defaults from /var/lib/misc/etc/login.defs (instead of /etc/login.defs).

For /home directories to be created properly I create the symlink:

ln -s /home /var/lib/misc/home

I also like to add sudoers configuration to the /var/lib/misc directory (so it can be shared via NFS)

cp -av /etc/sudoers.d $dbdir

Moving nss-db data

If you are storing nss-db in a different location, you can use a mount --bind to make it available in /var/lib/misc. This can be configured on /etc/fstab as follows:

# /etc/fstab
/mount/point/dir /var/lib/misc none defaults,bind 0 0

Configuring nss-db

In /var/lib/misc there is a Makefile that is used to create the relevant db files. To control how this you can configure things in /etc/default/libnss-db:

# /etc/default/libnss-db
# settings for libnss-db

# Directory where the databases are kept
VAR_DB = /var/lib/misc
# Location of files
ETC = $(VAR_DB)/etc

# Databases to generate
DBS = passwd group shadow

# Programs used
AWK = awk
MAKEDB = makedb --quiet

You must also add the db setting to the /etc/nsswitch.conf lines for passwd, group and shadow.

# Configure nsswitch.conf
sed -i~ \
        -e 's/^\(passwd:[ \t]*\).*$/\1files systemd db/' \
        -e 's/^\(group:[ \t]*\).*$/\1files systemd db/' \
        -e 's/^\(shadow:[ \t]*\).*$/\1files db/' \

This is not strictly part of nss-db, but I like to add to /etc/sudoers the line:

@includedir /var/lib/misc/sudoers.d

From then on, adding, modifying and removing users/groups should be done on the files in /var/lib/misc/etc. Afterwards, use make in /var/lib/misc to recrate db files.

For convenience I created a script in /usr/local/bin named nssdb:

# NSSDB command
nssdb_opts="--prefix $nssdb_dir"
extra_group_add_opts="--key GID_MIN=13000 --key GID_MAX=13999"

if [ $# -eq 0 ] ; then
  cat <<-_EOF_
        Usage: $0 useradd|userdel|usermod|groupadd|groupdel|groupmod [options]
  exit 1

case "$1" in
    op="$1" ; shift
    op="$1" ; shift
    nssdb_opts="$nssdb_opts $extra_group_add_opts"
  *) echo "$1: Unknown sub-command" ; exit 1

"$op" $nssdb_opts "$@" && ( cd $nssdb_dir && make )

What it does is that you can run:

  • nssdb useradd
  • nssdb usermod
  • nssdb userdel
  • nssdb groupadd
  • nssdb groupmod
  • nssdb groupdel

This will run the specified commands but with --prefix option so these will modify files in /var/lib/misc and the Makefile called accordingly.

Note the following commands can not be supported:

  • chfn: does not support --prefix or --root options.
  • chsh, passwd, newusers : only support --root which requires root priviledges.