Use getent to prove what NSS is returning for
identity (users/groups), name resolution (hosts), service/port
mapping, and protocol numbers to diagnose “directory services
not being honored” without guessing where the data is coming
from.
A teammate says: “This host isn’t honoring our directory services.” You need to prove what NSS is returning for users, groups, hosts, and services, using a single tool that queries the same databases the system uses.
Use this workflow before blaming LDAP/SSSD, DNS, or “the
network.” If getent returns correct data, your
issue is usually elsewhere (permissions, app config, cached
state, or service behavior).
getent.
localhost via NSS
hosts.
ssh via NSS
services.
tcp via NSS
protocols.
getent queries NSS-backed databases the same way
the OS does.
passwd and group
can be local files or directory-backed (via NSS).
/etc/nsswitch.conf.
services maps service names to ports (commonly
from /etc/services).
protocols maps protocol names to numbers
(useful in packet tools and low-level debugging).
getent passwd satoshi && getent group developersThis confirms what the system would return when something asks “who is this user?” or “what is this group?” If the lookup fails here, it will fail for login checks, file ownership resolution, and many services.
# Expected output (example):
satoshi:x:1001:1001:Satoshi Nakamoto:/home/satoshi:/bin/bash
developers:x:1002:satoshigetent hosts localhost
This shows the host lookup result through NSS, not just “what
DNS would say.” localhost is a good baseline
because it should resolve even on broken networks.
# Expected output (example):
127.0.0.1 localhost
::1 localhostgetent services sshThis confirms the canonical mapping used by many tools and libraries when translating a service name into a port.
# Expected output (example):
ssh 22/tcpgetent protocols tcpProtocol-to-number mappings show up in packet tooling and troubleshooting when protocols are referenced numerically.
# Expected output (example):
tcp 6 TCP
The identity does not exist in the databases NSS is querying,
or NSS is not configured to consult your directory service.
Inspect /etc/nsswitch.conf and relevant NSS
components (for example, SSSD).
This typically indicates a broken local baseline:
/etc/hosts missing entries, misordered
hosts: in /etc/nsswitch.conf, or a
resolver stack issue.
The local databases may be missing or corrupted, or NSS is
configured unusually. Confirm the presence of
/etc/services and /etc/protocols
and verify relevant lines in /etc/nsswitch.conf.
Cached results or different NSS source order can cause mismatches. Compare your results across hosts and confirm the NSS configuration is consistent.
This lab is read-only. No system changes are required to clean up.
You can produce NSS-backed proof for identity, hosts,
services, and protocols using only getent.
getent passwd <user>
: Look up a user entry via NSS (UID/GID, home, shell, etc.).
getent group <group>
: Look up a group entry via NSS (GID and members).
getent hosts <name>
: Resolve a hostname via NSS host databases.
getent services <service>
: Look up a service name to port/protocol mapping via NSS.
getent protocols <proto>
: Look up protocol name to number mapping via NSS.
/etc/nsswitch.conf
: Controls NSS database source order (what gets queried, and
in what sequence).