TL;DR
With SRU 90 the nscfg command now has a check subcommand allowing an administrator to check for configuration errors.
Configuration check
Sometimes it’s a little bit hard to find a name service misconfiguration. You have to check a number of places to find the culprit. For example you have accidentally disabled the ldap/client service and you are wondering, why all your LDAP users are missing. So you start to look if all necessary services have been enabled, if all necessary settings have been made in SMF.
The nscfg command now also includes a built-in function that checks the configuration of the name service services helping you to find the problem quickly.
If everything is okay, it will just return to the shell.
root@testbed:~# nscfg check
root@testbed:~#
I want to demonstrate this feature with a misconfiguration. In the /etc/nsswitch.conf I modified one line to
passwd: files ldap
The system is told to use ldap for passwd. However the ldap/client hasn’t been enabled
root@testbed:~# svcs ldap/client
STATE STIME FMRI
disabled 2026-03-24T19:45:05 svc:/network/ldap/client:default
In Solaris the name service configuration is in SMF. We have to get our modification to /etc/nsswitch.conf into it. I imported the content of that file to the SMF service. 1
# nscfg import -f system/name-service/switch
With this clear misconfiguration we are running nscfg check:
root@testbed:/# nscfg check
ldap/client: is configured in svc:/system/name-service/switch but not enabled
A verbose output showing which services have been checked is available with the -v option. Again the issue with the disabled ldap/client will be reported.
root@testbed:~# nscfg check -v
Checking: system/name-service/cache...
Checking: system/name-service/switch...
Checking: files...
Checking: network/dns/client...
Checking: network/dns/multicast...
Service: network/dns/multicast is not enabled...
Service: network/dns/multicast is not checked.
Checking: network/ldap/client...
Service: network/ldap/client is not enabled...
Service: network/ldap/client is not checked.
Checking: network/nis/client...
Service: network/nis/client is not enabled...
Service: network/nis/client is not checked.
Checking: network/nis/domain...
Service: network/nis/domain is not enabled...
Service: network/nis/domain is not checked.
Checking: network/winbind...
Service: network/winbind is not enabled...
Service: network/winbind is not checked.
ldap/client: is configured in svc:/system/name-service/switch but not enabled
You can check a single service as well. In this case, even a disabled service’s configuration is checked. The check subcommand would report the following errors with a totally unconfigured ldap/client service
root@testbed:~# nscfg check ldap/client
Error: issue in svc:/network/ldap/client: no LDAP servers are configured.
Error: issue in svc:/network/ldap/client: bad value in property config/credential_level = None
Error: issue in svc:/network/ldap/client: bad value in property config/authentication_method = None
In case an error is reported, the command will yield a non-zero exit code
root@testbed:~# nscfg check svc:/system/name-service/switch
root@testbed:~# echo $?
0
root@testbed:~# nscfg check ldap/client
[...]
root@testbed:~# echo $?
1
The new subcommand simplifies the process to find errors in this part of the system significantly.
-
Okay okay, I could have used and should have used
svccfgbut old habits die hard …. ↩
Be the first to reply! ↗