Hesiod (name service)
In computing, the Hesiod name service originated in Project Athena (1983–1991). It uses DNS functionality to provide access to databases of information that change infrequently. In Unix environments it often serves to distribute information kept in the /etc/passwd, /etc/group, and /etc/printcap files, among others. Frequently an LDAP server is used to distribute the same kind of information that Hesiod does. However, because Hesiod can leverage existing DNS servers, deploying it to a network is fairly easy.
In a Unix-like system users usually have a line in the /etc/passwd file for each local user like:
foo:x:100:10:Foo Bar:/home/foo:/bin/sh
This line is composed of seven colon-separated fields which hold the following data:
- user login name (string);
- password hash or "x" if shadow password file is in use (string);
- user id (unsigned integer);
- user's primary group id (unsigned integer);
- Gecos field (four comma separated fields, string);
- user home directory (string);
- user login shell (string).
This system works fine for a small number of users on a small number of machines. But when more users start using more machines having this information managed in one location becomes critical. This is where Hesiod enters.
Instead of having this information stored on every machine, Hesiod stores it in records on your DNS server. Then each client can query the DNS server for this information instead of looking for it locally. In BIND the records for the above user might look something like:
foo.passwd.ns.example.net HS TXT "foo:x:100:10:Foo Bar:/home/foo:/bin/sh" 100.passwd.ns.example.net HS TXT "foo:x:100:10:Foo Bar:/home/foo:/bin/sh" 100.uid.ns.example.net HS TXT "foo:x:100:10:Foo Bar:/home/foo:/bin/sh"
There are three records because the system needs to be able to access the information in different ways. The first line supports looking up the user by their login name and the second two allow it to look up information by the user's uid. Note the use of the HS class instead of IN as might be expected. The Domain Name System has a special class of service for Hesiod's purpose.
On the client side some configuration also needs to happen. The /etc/hesiod.conf file for this setup might look something like:
rhs=.example.net lhs=.ns classes=HS,IN
Also make sure the /etc/resolv.conf file is using the name servers that have the Hesiod records. Once this is configured one can test the setup using the hesinfo program:
hesinfo foo passwd
should return
foo:x:100:10:Foo Bar:/home/foo:/bin/sh
What happens here is that the foo and the passwd are combined with the lhs and rhs values in the /etc/hesiod.conf file to create a fully qualified name of foo.passwd.ns.hesiod. The DNS server is then queried for this entry and returns the value of that record.
See also
- Name Service Switch (NSS)
- Network Information Service (NIS)
- Lightweight Directory Access Protocol (LDAP)
- Kerberos
External links
- – NetBSD File Formats Manual
- Single Sign-On and the System Administrator