libnss-afs

libnss-afs 2.0 and later require nscd. Do not attempt to use earlier versions without nscd.

A Name Service Switch (NSS) plugin is a shared library used by glibc to – among other things – translate between usernames and numeric userids and between group names and numeric groupids.

The libnss-afs library is an NSS plugin which answers these queries using the information stored in the AFS ptserver, avoiding the need to duplicate (and update) this information in /etc/passwd or LDAP. The library also synthesizes the name AfsPag-XXXX for the fake group ids that are used to represent AFS PAGs.

For an example of how to integrate this with Kerberos, PAM, SSH, nscd, and the OpenAFS client, please see HCoop's New Machine Setup page.

Getting It

You can retrieve libnss-afs from its git repository or directly out of AFS:

/afs/megacz.com/pub/software/libnss-afs/

Gitweb also has snapshots of the stable (tgz, zip) and development (tgz, zip) branches.

Installing It

Install the debian package and put these lines in /etc/nsswitch.conf:

passwd:         afs  compat
group:          afs  compat

History

libnss-afs was derived from Frank Burkhardt's libnss-ptdb, which was in turn derived from Todd M. Lewis's nss_pts.

Unlike libnss-ptdb, the new library requires no daemon process. Unlike nss_pts, the new library performs proper pthreads-locking around the thread-unsafe AFS libraries. Perhaps most importantly of all, libnss-afs is only 286 lines of code in a single file, making it easier to review for correctness and robustness.

libnss-afs also includes the functionality provided by nss_afspag. This functionality is integrated directly into libnss_afs.so rather than being in a separate library, and has been updated to the new Linux 2.6 PAG numbering scheme. It also includes a fix for a bug which would cause nscd to crash.

On 8-Dec-2009, libnss-afs 2.0 was released. The only change in this version is that it will return NSS_UNAVAIL if used without nscd (this is checked by examining /proc/self/cmdline). This avoids the risks of loading libnss_afs into a process which is already linked to the AFS libraries, and ensures that long delays are not incurred when the network is down (for example, during shutdown).

Advice

Starting with libnss-afs 2.0, you must use nscd. With prior versions it is strongly recommended that you run it.

There is a known bug in nscd which may cause it to crash. It seems that libnss-afs increases the probability of triggering this bug. To avoid this, you must put this line in /etc/nscd.conf:

enable-cache hosts no

Moreover, based on advice from here, it's probably a good idea to disable persistence:

persistent passwd no
persistent groups no
persistent hosts  no

Known Issues/Bugs

  • Strange behaviors such as very slow logins and incorrect home directories have been observed when a given username has an entry in both /etc/passwd and in pts. It is strongly recommended that you ensure that no user appear in both places.

  • libnss-afs does not support the GECOS field.

To Do

In the transition from libnss-ptdb to libnss-afs, all configuration options were removed. The majority of them are no longer necessary because there is no daemon, but I really need to add back in a way to choose the “homedir style” and “shell style”.

Currently these settings are hardwired, but can be changed with very simple edits to the source code:

  • If /etc/openafs/ThisCell is somecell.edu, then the home directory for user fred will be /afs/somecell.edu/user/f/fr/fred/.

  • If ~/.loginshell exists and is a symlink, then whatever it points to is the user's shell. If the link does not exist, or any errors are encountered, the user's shell is /bin/bash.

The next version will allow you to set configuration options for these choices in your krb5.conf file, the same way that pam-afs-session does (see load_krb5_config() in options.c).