Am 08.12.2016 um 15:20 schrieb Michael Biebl: > Installing libnss-mdns, then libnss-resolve leads to > > hosts: files mdns4_minimal [NOTFOUND=return] resolve > [!UNAVAIL=return] dns > > Installing libnss-resolve, then libnss-mdns leads to > > hosts: files resolve [!UNAVAIL=return] mdns4_minimal > [NOTFOUND=return] dns > > > So maybe the "obvious" fix is to change libnss-mdns to always insert itself > before dns *and* resolve? On the other hand, it's quite ugly that mdns needs > to > be taught to cope with this new nss module. > > Martin, Simon, what's your take on this? > With multiple packages mangling nsswitch.conf, this feels like it's becoming > very brittle > and maybe we need a proper API like pam-auth-update.
Some more thoughts: we have quite a few libnss-* packages > # apt-cache search --names-only libnss- > libnss-db - NSS-Modul für die Verwendung der Berkeley-Datenbank als > Namensdienst > libnss-ldap - NSS-Modul für den Einsatz von LDAP als Namensdienst > libnss-ldapd - NSS-Modul für den Einsatz von LDAP als Namensdienst > libnss-lwres - NSS-Modul um bind9-lwres als Namensdienst zu nutzen > libnss-sss - Nss-Modul für den SSS-Daemon (System Security Services) > libnss-cache - NSS module for using nsscache-generated files > libnss-docker - nss module for finding Docker containers > libnss-extrausers - nss module to have an additional passwd, shadow and group > file > libnss-gw-name - nss module that names the current gateway’s IP address > libnss-mysql-bg - NSS module for using MySQL as a naming service > libnss-pgsql2 - NSS module for using PostgreSQL as a naming service > libnss-securepass - NSS (Name Service Switch) module for Securepass > libnss-libvirt - nss plugin providing IP add ress resolution for virtual > machines > libnss-mdns - NSS module for Multicast DNS name resolution > libnss-wrapper - NSS wrapper library > libnss-rainbow2 - nss library for rainbow > libnss-winbind - Samba nameservice integration plugins > libnss-myhostname - nss module providing fallback resolution for the current > hostname > libnss-mymachines - nss module to resolve hostnames for local container > instances > libnss-resolve - nss module to resolve names via systemd-resolved > libnss-systemd - nss module providing dynamic user and group name resolution The first one that I picked was libnss-ldap It doesn't mangle libnss-ldap directly, but it ships an example file, which contains hosts: dns ldap So, libnss-resolve's behaviour of using [!UNAVAIL=return] would break LDAP hosts resolution as well. I guess, going through the complete list, we would find more packages which would be affected the same way. It seems like [!UNAVAIL=return] is generally not safe to use if you don't know which NSS modules might come after yours. Michael -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth?
signature.asc
Description: OpenPGP digital signature
