Switch branches/tags
aj/revert-sunrpc aj/shared-linux-fcntl allan/config-files andros/avx512f-mem andros/libmvec andros/pr19654 archlinux/2.18/master azanella/bz12683 carlos/dlmopen carlos/master cmetcalf/tile-2.15 cvs/fedora-2_3-branch cvs/fedora-2_5-branch cvs/fedora-branch cvs/glibc-2-1-branch cvs/glibc-2-2-branch cvs/glibc-2_0_x cvs/glibc-2_3-branch cvs/glibc-2_5-branch cvs/glibc-2_6-branch cvs/glibc-2_7-branch cvs/glibc-2_8-branch cvs/glibc-2_9-branch cvs/glibc-2_10-branch cvs/master cvs/sparc-2_0_x-branch cvs/thomas-posix1996 davem/sparc dj/malloc fedora/master fedora/2.10/master fedora/2.11/master fedora/2.12/master fedora/2.13/master fedora/2.14/master fedora/2.22/master fw/extend_alloca gentoo/2.18 gentoo/2.19 gentoo/2.20 gentoo/2.21 gentoo/2.22 gentoo/2.23 hjl/avx128 hjl/avx512f-mem/master hjl/avx512f-mem/old hjl/avx512f-mem/prefetcht1 hjl/cpuid/master hjl/cpuid/2.21 hjl/cpuid/2.22 hjl/ctor/release/2.11 hjl/ctor/release/2.12 hjl/erms/i386 hjl/erms/ifunc hjl/erms/master hjl/erms/nt hjl/erms/2.22 hjl/erms/2.23 hjl/fma/master hjl/global hjl/gold hjl/i386/master hjl/i486/multiarch-old hjl/i486/multiarch hjl/implies hjl/init hjl/ld.so/master hjl/memcpy/dpdk/master hjl/mempcpy hjl/plt/master hjl/plt/2.21 hjl/plt/2.22 hjl/pr13862 hjl/pr14370 hjl/pr14562/master hjl/pr14562/2.16 hjl/pr14654 hjl/pr14716 hjl/pr14831 hjl/pr14937 hjl/pr14941 hjl/pr14955 hjl/pr14995 hjl/pr17711/2.18 hjl/pr17711/2.19 hjl/pr17711/2.20 hjl/pr17711/2.21 hjl/pr17841/master hjl/pr17841/2.21 hjl/pr18078 hjl/pr18422 hjl/pr18661 hjl/pr18696 hjl/pr18858/master hjl/pr19122 hjl/pr19178/master hjl/pr19363/clobber hjl/pr19363/master hjl/pr19363/2.22 hjl/pr19371/master hjl/pr19463 hjl/pr19583 hjl/pr19590 hjl/pr19679/2.23 hjl/pr19776/master hjl/pthread/2.21 hjl/pthread/2.22 hjl/release/2.20/master hjl/secondary/master hjl/secondary/2.21 hjl/size/master hjl/tst-plt hjl/unaligned hjl/x32/master hjl/x32/release/2.12 hjl/x32/release/2.15 hjl/x86 hjl/32bit/master hjl/32bit/2.22 ibm/master ibm/2.8/master ibm/2.10/master ibm/2.11/master ibm/2.12/master ibm/2.13/master ibm/2.16/master ibm/2.18/master ibm/2.19/master ibm/2.20/master ibm/2.22/master ldmitrie/intel_mpx linaro/master lxoliva/getaddrinfo master neleai/string-x64 neleai/strlen origin/ibm/2.8/master pasky/fixes-overdue pasky/fixes release/2.10/master release/2.11/master release/2.12/master release/2.13/master release/2.14/master release/2.15/master release/2.16/master release/2.17/master release/2.18/master release/2.19/master release/2.20/master release/2.21/master release/2.22/master release/2.23/master roland/Wshadow roland/add-on-abi-tags roland/backtrace-syms roland/cancelhandling roland/disable-nis roland/getpid roland/gold-vs-libc roland/hwcap_mask roland/manual-check roland/nacl-debug-hack roland/nacl-exit-stacks roland/nacl-port/master roland/nptl_db roland/pthread_attr_getstack roland/stat64 roland/sysconf-clocks roland/tempname roland/x86_64-crt1-cfi rsa/hwcap2_v3 rsa/hwcap2_v4 rsa/hwcap2_v5 rsa/hwcap2_v6 rsa/power8_partial rsa/power8 rsa/stdint_headers rsa/stdint_noheaders rsa/stdint rsa/2.17_backports_v2 rsa/2.17_backports_v3 rsa/2.17_backports rth/aa-memset rth/aa-opt rth/execl rth/tramp siddhesh/is_in_module siddhesh/mmap-fallback siddhesh/posix-wundef siddhesh/sem_timedwait siddhesh/tunables tuliom/multilib
Nothing to show
Find file History
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.


The GNU C library contains an NSS module for the Hesiod name service.
Hesiod is a general name service for a variety of applications and is
based on the Berkeley Internet Name Daemon (BIND).


The Hesiod NSS module implements access to all relevant standard
Hesiod types, which means that Hesiod can be used for the `group',
`passwd' and `services' databases.  There is however a restriction.
In the same way that it is impossible to use `gethostent()' to iterate
over all the data provided by DNS, it is not possible to scan the
entire Hesiod database by means of `getgrent()', `getpwent()' and
`getservent()'.  Besides, Hesiod only provides support for looking up
services by name and not for looking them up by port.  In essence this
means that the Hesiod name service is only consulted as a result of
one of the following function calls:

  * getgrname(), getgrgid()
  * getpwname(), getpwuid()
  * getservbyname()

and their reentrant counterparts.

Configuring your systems

Configuring your systems to make use the Hesiod name service requires
one or more of the following steps, depending on whether you are
already running Hesiod in your network.

Configuring NSS

First you should modify the file `/etc/nsswitch.conf' to tell
NSS for which database you want to use the Hesiod name service.  If
you want to use Hesiod for all databases it can handle your
configuration file could look like this:

  # /etc/nsswitch.conf
  # Example configuration of GNU Name Service Switch functionality.

  passwd:	  db files hesiod
  group:	  db files hesiod
  shadow:	  db files

  hosts:	  files dns
  networks:	  files dns

  protocols:	  db files
  services:	  db files hesiod
  ethers:	  db files
  rpc:		  db files

For more information on NSS, please refer to the `The GNU C Library
Reference Manual'.

Configuring Hesiod

Next, you will have to configure Hesiod.  If you are already running
Hesiod in your network, you probably already have a file named
`hesiod.conf' on your machines (probably as `/etc/hesiod.conf' or
`/usr/local/etc/hesiod.conf').  The Hesiod NSS module looks for
`/etc/hesiod.conf' by default.  If there is no configuration file you
will want to create your own.  It should look something like:


The optional classes settings specifies which DNS classes Hesiod
should do lookups in.  Possible values are IN (the preferred class)
and  HS (the deprecated class, still used by some sites).
You may specify both classes separated by a comma to try one class
first and then the other if no entry is available in the first
class.  The default value of the classes variable is `IN,HS'.

The value of rhs can be overridden by the environment variable

Configuring your name servers

In addition, if you are not already running Hesiod in your network,
you need to create Hesiod information on your central name servers.
You need to run `named' from BIND 4.9 or higher on these servers, and
make them authoritative for the domain `ns.your.domain' with a line in
`/etc/named.boot' reading something like:

  primary         ns.your.domain          named.hesiod

or if you are using the new BIND 8.1 or higher add something to
`/etc/named.conf' like:

  zone "ns.your.domain" {
          type master;
          file "named.hesiod";

Then in the BIND working directory (usually `/var/named') create the
file `named.hesiod' containing data that looks something like:

  ; SOA and NS records.
  @       IN      SOA     server1.your.domain admin-address.your.domain (
                  40000           ; serial - database version number
                  1800            ; refresh - sec servers
                  300             ; retry - for refresh
                  3600000         ; expire - unrefreshed data
                  7200 )          ; min
                  NS      server1.your.domain
                  NS      server2.your.domain

  ; Actual Hesiod data.
  libc.group      TXT     "libc:*:123:gnu,gnat"
  123.gid         CNAME   libc.group
  gnu.passwd      TXT     "gnu:*:4567:123:GNU:/home/gnu:/bin/bash"
  456.uid         CNAME   mark.passwd
  nss.service     TXT     "nss tcp 789 switch sw "
  nss.service     TXT     "nss udp 789 switch sw"

where `libc' is an example of a group, `gnu' an example of an user,
and `nss' an example of a service.  Note that the format used to
describe services differs from the format used in `/etc/services'.
For more information on `named' refer to the `Name Server Operations
Guide for BIND' that is included in the BIND distribution.


Note that the information stored in the Hesiod database in principle
is publicly available.  Care should be taken with including vulnerable
information like encrypted passwords in the Hesiod database.  There
are some ways to improve security by using features provided by
`named' (see the discussion about `secure zones' in the BIND
documentation), but one should keep in mind that Hesiod was never
intended to distribute passwords.  In the origional design
authenticating users was the job of the Kerberos service.

More information

For more information on the Hesiod name service take a look at some of
the papers in ftp://athena-dist.mit.edu:/pub/ATHENA/usenix and the
documentation that accompanies the source code for the Hesiod name
service library in ftp://athena-dist.mit.edu:/pub/ATHENA/hesiod.

There is a mailing list at MIT for Hesiod users, hesiod@mit.edu.  To
get yourself on or off the list, send mail to hesiod-request@mit.edu.