Add nsswitch support. By creating an /etc/nsswitch.conf file, you can

configure FreeBSD so that various databases such as passwd and group can be
looked up using flat files, NIS, or Hesiod.

= Hesiod has been added to libc (see hesiod(3)).

= A library routine for parsing nsswitch.conf and invoking callback
  functions as specified has been added to libc (see nsdispatch(3)).

= The following C library functions have been modified to use nsdispatch:
    . getgrent, getgrnam, getgrgid
    . getpwent, getpwnam, getpwuid
    . getusershell
    . getaddrinfo
    . gethostbyname, gethostbyname2, gethostbyaddr
    . getnetbyname, getnetbyaddr
    . getipnodebyname, getipnodebyaddr, getnodebyname, getnodebyaddr

= host.conf has been removed from src/etc.  rc.network has been modified
  to warn that host.conf is no longer used at boot time.  In addition, if
  there is a host.conf but no nsswitch.conf, the latter is created at boot
  time from the former.

Obtained from:	NetBSD

9 files changed, 528 insertions, 688 deletions

diff --git a/share/examples/etc/README.examples b/share/examples/etc/README.examples
index 2bcd4b0..a2739b3 100644
--- a/share/examples/etc/README.examples
+++ b/share/examples/etc/README.examples
@@ -20,7 +20,6 @@ fbtab		- configuration file for login(1)
 ftpusers	- user restriction file for ftpd(8)
 gettytab	- defines port configuration for getty(8)
 group		- group permissions file (see group(5))
-host.conf	- defines name resolution order for gethostbyname(3)
 hosts		- see hosts(5)
 hosts.equiv	- defines system-wide trusted hosts (see ruserok(3))
 hosts.lpd	- defines trusted hosts for lpd(8)
@@ -36,6 +35,7 @@ motd		- sample Message of the Day
 netstart	- network startup script run from /etc/rc
 networks	- see networks(5)
 newsyslog.conf	- configuration for system log file rotator newsyslog(8)
+nsswitch.conf   - name-service switch config file (see nsswitch.conf(5))
 pam.conf	- configuration file for pam(8)
 pccard_ether	- confiuration script for ethernet pccards (see pccardd(8))
 phones		- phone number database for tip(1)
diff --git a/share/man/man4/yp.4 b/share/man/man4/yp.4
index dda8944..3ceab06 100644
--- a/share/man/man4/yp.4
+++ b/share/man/man4/yp.4
@@ -57,14 +57,8 @@ daemon makes direct
 library calls since there are no
 functions in the standard C library for reading bootparams.
 .Tn NIS
-support for the hosts, services and rpc databases is enabled by
-uncommenting the
-.Em nis
-line in
-.Pa /etc/host.conf .
-.Tn NIS
-support for the remaining services is
-activated by adding a special '+' entry to the appropriate file.
+support is enabled in 
+.Xr nsswitch.conf .
 .Pp
 The
 .Nm YP 
diff --git a/share/man/man5/Makefile b/share/man/man5/Makefile
index 83fc325..a16b1c1 100644
--- a/share/man/man5/Makefile
+++ b/share/man/man5/Makefile
@@ -4,11 +4,12 @@
 #MISSING: dump.5 plot.5
 MAN5=	a.out.5 acct.5 core.5 devfs.5 dir.5 disktab.5 ethers.5 \
 	elf.5 fbtab.5 fdesc.5 forward.5 fs.5 fstab.5 group.5 \
+	hesiod.conf.5 \
 	hosts.5 hosts.equiv.5 hosts.lpd.5 intro.5 kernfs.5 link.5 \
-	linprocfs.5 mailer.conf.5 motd.5 networks.5 passwd.5 pbm.5 \
-	periodic.conf.5 phones.5 procfs.5 protocols.5 rc.conf.5 \
-	remote.5 resolver.5 services.5 shells.5 stab.5 sysctl.conf.5 \
-	types.5 utmp.5
+	linprocfs.5 mailer.conf.5 motd.5 networks.5 nsswitch.conf.5 \
+	passwd.5 pbm.5 periodic.conf.5 \
+	phones.5 procfs.5 protocols.5 rc.conf.5 remote.5 resolver.5 \
+	services.5 shells.5 stab.5 sysctl.conf.5 types.5 utmp.5
 
 MLINKS=	dir.5 dirent.5
 MLINKS+=fs.5 inode.5
diff --git a/share/man/man5/group.5 b/share/man/man5/group.5
index 764caf5..5df3e04 100644
--- a/share/man/man5/group.5
+++ b/share/man/man5/group.5
@@ -39,6 +39,14 @@
 .Nm group
 .Nd format of the group permissions file
 .Sh DESCRIPTION
+The
+.Nm
+file is the local source of group information.  It 
+can be used in conjunction with the Hesiod domain
+`group', and the NIS maps `group.byname' and `group.bygid',
+as controlled by 
+.Xr nsswitch.conf 5 .
+.Pp
 The file
 .Aq Pa /etc/group
 consists of newline separated
@@ -107,28 +115,6 @@ entry and does not need to be added to that group in the
 .\"	char    **gr_mem;        /* group members */
 .\" };
 .\" .Ed
-.Sh YP/NIS INTERACTION
-The
-.Pa /etc/group
-file can be configured to enable the YP/NIS group database.
-An entry whose
-.Ar name
-field consists of a plus sign (`+') followed by a group name, will be
-replaced internally to the C library with the YP/NIS group entry for the
-named group.  An entry whose
-.Ar name
-field consists of a single plus sign with no group name following,
-will be replaced with the entire YP/NIS
-.Dq Li group.byname
-map.
-.Pp
-If the YP/NIS group database is enabled for any reason, all reverse
-lookups (i.e.,
-.Fn getgrgid )
-will use the entire database, even if only a few groups are enabled.
-Thus, the group name returned by
-.Fn getgrgid
-is not guaranteed to have a valid forward mapping.
 .Sh LIMITS
 There are various limitations which are explained in
 the function where they occur; see section
@@ -156,6 +142,7 @@ may still have this limits.
 .Xr getgrent 3 ,
 .Xr initgroups 3 ,
 .Xr yp 4 ,
+.Xr nsswitch.conf 5 ,
 .Xr passwd 5
 .Sh BUGS
 The
@@ -168,10 +155,5 @@ A
 .Nm
 file format appeared in
 .At v6 .
-The YP/NIS functionality is modeled after
-.Tn SunOS
-and first appeared in
-.Tn FreeBSD
-1.1.
 Support for comments first appeared in
 .Fx 3.0 .
diff --git a/share/man/man5/hesiod.conf.5 b/share/man/man5/hesiod.conf.5
new file mode 100644
index 0000000..639b447
--- /dev/null
+++ b/share/man/man5/hesiod.conf.5
@@ -0,0 +1,53 @@
+.\"	$NetBSD: hesiod.conf.5,v 1.2 1999/01/25 22:37:06 lukem Exp $
+.\"	$FreeBSD$
+.\"
+.\" from: #Id: hesiod.conf.5,v 1.1 1996/12/08 21:36:38 ghudson Exp #
+.\"
+.\" Copyright 1996 by the Massachusetts Institute of Technology.
+.\"
+.\" Permission to use, copy, modify, and distribute this
+.\" software and its documentation for any purpose and without
+.\" fee is hereby granted, provided that the above copyright
+.\" notice appear in all copies and that both that copyright
+.\" notice and this permission notice appear in supporting
+.\" documentation, and that the name of M.I.T. not be used in
+.\" advertising or publicity pertaining to distribution of the
+.\" software without specific, written prior permission.
+.\" M.I.T. makes no representations about the suitability of
+.\" this software for any purpose.  It is provided "as is"
+.\" without express or implied warranty.
+.\"
+.TH HESIOD.CONF 5 "30 November 1996"
+.SH NAME
+hesiod.conf \- Configuration file for the Hesiod library
+.SH DESCRIPTION
+The file hesiod.conf determines the behavior of the Hesiod library.
+Blank lines and lines beginning with a `#' character are ignored.  All
+other lines should be of the form
+.I variable
+=
+.IR value ,
+where the value should be a single word.  Possible variables and
+values are:
+.IP lhs
+Specifies the domain prefix used for Hesiod queries.  In almost all
+cases, you should specify ``lhs=.ns''.  The default value if you do
+not specify an lhs value is no domain prefix, which is not compatible
+with most Hesiod domains.
+.IP rhs
+Specifies the default Hesiod domain; this value may be overridden by
+the
+.B HES_DOMAIN
+environment variable.  You must specify an rhs line for the Hesiod
+library to work properly.
+.IP classes
+Specifies which DNS classes Hesiod should do lookups in.  Possible
+values are IN (the preferred class) and HS (the deprecated class,
+still used by some sites).  You may specify both classes separated by
+a comma to try one class first and then the other if no entry is
+available in the first class.  The default value of the classes
+variable is ``IN,HS''.
+.SH SEE ALSO
+hesiod(3)
+.SH BUGS
+The default value for ``lhs'' should probably be more reasonable.
diff --git a/share/man/man5/hosts.5 b/share/man/man5/hosts.5
index 00ca8ce..3708958 100644
--- a/share/man/man5/hosts.5
+++ b/share/man/man5/hosts.5
@@ -43,6 +43,9 @@ The
 .Nm hosts
 file contains information regarding
 the known hosts on the network.
+It can be used in conjunction with DNS, and the NIS
+maps `hosts.byaddr' and `hosts.byname', as controlled by
+.Xr nsswitch.conf 5 .
 For each host a single line should be present
 with the following information:
 .Bd -unfilled -offset indent
@@ -98,6 +101,7 @@ file resides in
 .El
 .Sh SEE ALSO
 .Xr gethostbyname 3 ,
+.Xr nsswitch.conf 5 ,
 .Xr ifconfig 8 ,
 .Xr named 8
 .Rs
diff --git a/share/man/man5/nsswitch.conf.5 b/share/man/man5/nsswitch.conf.5
new file mode 100644
index 0000000..ca281c8
--- /dev/null
+++ b/share/man/man5/nsswitch.conf.5
@@ -0,0 +1,266 @@
+.\"	$NetBSD: nsswitch.conf.5,v 1.14 1999/03/17 20:19:47 garbled Exp $
+.\"	$FreeBSD$
+.\"
+.\"  Copyright (c) 1997, 1998, 1999 The NetBSD Foundation, Inc.
+.\"  All rights reserved.
+.\" 
+.\"  This code is derived from software contributed to The NetBSD Foundation
+.\"  by Luke Mewburn.
+.\" 
+.\"  Redistribution and use in source and binary forms, with or without
+.\"  modification, are permitted provided that the following conditions
+.\"  are met:
+.\"  1. Redistributions of source code must retain the above copyright
+.\"     notice, this list of conditions and the following disclaimer.
+.\"  2. Redistributions in binary form must reproduce the above copyright
+.\"     notice, this list of conditions and the following disclaimer in the
+.\"     documentation and/or other materials provided with the distribution.
+.\"  3. All advertising materials mentioning features or use of this software
+.\"     must display the following acknowledgement:
+.\"  	This product includes software developed by Luke Mewburn.
+.\"  4. The name of the author may not be used to endorse or promote products
+.\"     derived from this software without specific prior written permission.
+.\"  
+.\"  THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+.\"  IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+.\"  OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+.\"  IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+.\"  INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+.\"  BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
+.\"  OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+.\"  ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR
+.\"  TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
+.\"  USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd January 22, 1998
+.Dt NSSWITCH.CONF 5
+.Os
+.Sh NAME
+.Nm nsswitch.conf
+.Nd name-service switch configuration file
+.Sh DESCRIPTION
+The
+.Nm
+file specifies how the
+.Xr nsdispatch 3
+(name-service switch dispatcher) routines in the C library should operate.
+.Pp
+The configuration file controls how a process looks up various databases
+containing information regarding hosts, users (passwords), groups, etc.
+Each database comes from a source (such as local files, DNS, and
+.Tn NIS ) ,
+and the order to look up the sources is specified in
+.Nm nsswitch.conf .
+.Pp
+Each entry in 
+.Nm
+consists of a database name, and a space separated list of sources.
+Each source can have an optional trailing criterion that determines
+whether the next listed source is used, or the search terminates at
+the current source.
+Each criterion consists of one or more status codes, and actions to
+take if that status code occurs.
+.Ss Sources
+The following sources are implemented:
+.Bl -column "compat" -offset indent -compact
+.Sy Source	Description
+.It files	Local files, such as
+.Pa /etc/hosts ,
+and
+.Pa /etc/passwd .
+.It dns	Internet Domain Name System.
+.Dq hosts
+and
+.Sq networks
+use
+.Sy IN
+class entries, all other databases use
+.Sy HS
+class (Hesiod) entries.
+.It nis	NIS (formerly YP)
+.It compat	support
+.Sq +/-
+in the
+.Dq passwd
+and
+.Dq group
+databases.
+If this is present, it must be the only source for that entry.
+.El
+.Ss Databases
+The following databases are used by the following C library functions:
+.Bl -column "networks" -offset indent -compact
+.Sy Database	Used by
+.It group	
+.Xr getgrent 3
+.It hosts	
+.Xr gethostbyname 3
+.It networks	
+.Xr getnetbyname 3
+.It passwd	
+.Xr getpwent 3
+.It shells	
+.Xr getusershell 3
+.El
+.Ss Status codes
+The following status codes are available:
+.Bl -column "tryagain" -offset indent -compact
+.Sy Status	Description
+.It success	The requested entry was found.
+.It notfound	The entry is not present at this source.
+.It tryagain	The source is busy, and may respond to retries.
+.It unavail	The source is not responding, or entry is corrupt.
+.El
+.Ss Actions
+For each of the status codes, one of two actions is possible:
+.Bl -column "continue" -offset indent -compact
+.Sy Action	Description
+.It continue	Try the next source
+.It return	Return with the current result
+.El
+.Ss Format of file
+A
+.Tn BNF
+description of the syntax of
+.Nm
+is:
+.Bl -column "<criterion>" -offset indent
+.It <entry>	::=
+<database> ":" [<source> [<criteria>]]*
+.It <criteria>	::=
+"[" <criterion>+ "]"
+.It <criterion>	::=
+<status> "=" <action>
+.It <status>	::=
+"success" | "notfound" | "unavail" | "tryagain"
+.It <action>	::=
+"return" | "continue"
+.El
+.Pp
+Each entry starts on a new line in the file.
+A
+.Sq #
+delimits a comment to end of line.
+Blank lines are ignored.
+A
+.Sq \e
+at the end of a line escapes the newline, and causes the next line to
+be a continuation of the current line.
+All entries are case-insensitive.
+.Pp
+The default criteria is to return on
+.Dq success ,
+and continue on anything else (i.e,
+.Li [success=return notfound=continue unavail=continue tryagain=continue]
+).
+.Ss Compat mode: +/- syntax
+In historical multi-source implementations, the
+.Sq +
+and
+.Sq -
+characters are used to specify the importing of user password and
+group information from
+.Tn NIS .
+Although
+.Nm
+provides alternative methods of accessing distributed sources such as
+.Tn NIS ,
+specifying a sole source of
+.Dq compat
+will provide the historical behaviour.
+.Pp
+An alternative source for the information accessed via
+.Sq +/-
+can be used by specifying
+.Dq passwd_compat: source .
+.Dq source
+in this case can be
+.Sq dns ,
+.Sq nis ,
+or
+any other source except for
+.Sq files
+and
+.Sq compat .
+.Ss Notes
+Historically, many of the databases had enumeration functions, often of
+the form
+.Fn getXXXent .
+These made sense when the databases were in local files, but don't make
+sense or have lesser relevance when there are possibly multiple sources,
+each of an unknown size.
+The interfaces are still provided for compatibility, but the source
+may not be able to provide complete entries, or duplicate entries may
+be retrieved if multiple sources that contain similar information are
+specified.
+.Pp
+To ensure compatibility with previous and current implementations, the
+.Dq compat
+source must appear alone for a given database.
+.Ss Default source lists
+If, for any reason,
+.Nm nsswitch.conf
+doesn't exist, or it has missing or corrupt entries,
+.Xr nsdispatch 3
+will default to an entry of
+.Dq files
+for the requested database.
+Exceptions are:
+.Bl -column passwd_compat "dns files" -offset indent
+.Sy Database	Default source list
+.It group	compat
+.It group_compat	nis
+.It hosts	dns files
+.It passwd	compat
+.It passwd_compat	nis
+.El
+.Sh FILES
+.Bl -tag -width /etc/nsswitch.conf -compact
+.It Pa /etc/nsswitch.conf
+The file
+.Nm
+resides in
+.Pa /etc .
+.El
+.Sh EXAMPLES
+To lookup hosts in
+.Pa /etc/hosts
+and then from the DNS, and lookup user information from
+.Tn NIS
+then files, use:
+.Bl -column "passwd:" -offset indent
+.It hosts:	files dns
+.It passwd:	nis [notfound=return] files
+.It group:	nis [notfound=return] files
+.El
+.Pp
+The criteria
+.Dq [notfound=return]
+sets a policy of "if the user is notfound in nis, don't try files."
+This treats nis as the authoritive source of information, except
+when the server is down.
+.Sh SEE ALSO
+.Xr nsdispatch 3 ,
+.Xr resolv.conf 5 ,
+.Xr named 8 ,
+.Xr ypbind 8
+.Sh HISTORY
+The
+.Nm
+file format first appeared in
+.Fx 4.1 .
+It was imported from the
+.Nx
+Project, where it appeared first in
+.Nx 1.4 .
+.Sh AUTHORS
+Luke Mewburn
+.Aq lukem@netbsd.org
+wrote this freely distributable name-service switch implementation,
+using ideas from the
+.Tn ULTRIX
+.Xr svc.conf 5
+and
+.Tn Solaris
+.Xr nsswitch.conf 4
+manual pages.
diff --git a/share/man/man5/passwd.5 b/share/man/man5/passwd.5
index 51b1c3b..671d42b 100644
--- a/share/man/man5/passwd.5
+++ b/share/man/man5/passwd.5
@@ -1,5 +1,8 @@
+.\"	$NetBSD: passwd.5,v 1.12.2.2 1999/12/17 23:14:50 he Exp $
+.\"
 .\" Copyright (c) 1988, 1991, 1993
 .\"	The Regents of the University of California.  All rights reserved.
+.\" Portions Copyright (c) 1994, Jason Downs.  All rights reserved.
 .\"
 .\" Redistribution and use in source and binary forms, with or without
 .\" modification, are permitted provided that the following conditions
@@ -32,20 +35,37 @@
 .\"     From: @(#)passwd.5	8.1 (Berkeley) 6/5/93
 .\" $FreeBSD$
 .\"
-.Dd September 29, 1994
+.Dd January 16, 1999
 .Dt PASSWD 5
 .Os
 .Sh NAME
-.Nm passwd
+.Nm passwd ,
+.Nm master.passwd
 .Nd format of the password file
 .Sh DESCRIPTION
 The
 .Nm passwd
-files are files consisting of newline separated records, one per user,
-containing ten colon
-.Pq Ql \&:
-separated fields.  These fields are as
-follows:
+files are the local source of password information.
+They can be used in conjunction with the Hesiod domains
+.Sq passwd 
+and
+.Sq uid ,
+and the
+.Tn NIS
+maps
+.Sq passwd.byname ,
+.Sq passwd.byuid ,
+.Sq master.passwd.byname ,
+and 
+.Sq master.passwd.byuid ,
+as controlled by
+.Xr nsswitch.conf 5 .
+.Pp
+The
+.Nm master.passwd
+file is readable only by root, and consists of newline separated
+records, one per user, containing ten colon (``:'') separated
+fields.  These fields are as follows:
 .Pp
 .Bl -tag -width password -offset indent
 .It name
@@ -59,7 +79,7 @@ User's id.
 .It gid
 User's login group id.
 .It class
-User's login class.
+User's general classification (unused).
 .It change
 Password change time.
 .It expire
@@ -72,9 +92,14 @@ User's home directory.
 User's login shell.
 .El
 .Pp
-Lines whose first non-whitespace character is a pound-sign (#)
-are comments, and are ignored.  Blank lines which consist
-only of spaces, tabs or newlines are also ignored.
+The
+.Nm 
+file is generated from the 
+.Nm master.password
+file by
+.Xr pwd_mkdb 8 ,
+has the class, change, and expire fields removed, and the password
+field replaced by a ``*''.
 .Pp
 The
 .Ar name
@@ -85,17 +110,15 @@ across the system (and often across a group of systems) since they
 control file access.
 .Pp
 While it is possible to have multiple entries with identical login names
-and/or identical uids, it is usually a mistake to do so.  Routines
+and/or identical user id's, it is usually a mistake to do so.  Routines
 that manipulate these files will often return only one of the multiple
 entries, and that one by random selection.
 .Pp
-The login name must never begin with a hyphen
-.Pq Ql \&- ;
-also, it is strongly
-suggested that neither upper-case characters nor dots
-.Pq Ql \&.
-be part
-of the name, as this tends to confuse mailers.
+The login name must never begin with a hyphen (``-''); also, it is strongly
+suggested that neither upper-case characters or dots (``.'') be part
+of the name, as this tends to confuse mailers.  No field may contain a
+colon (``:'') as this has been used historically to separate the fields
+in the user database.
 .Pp
 The password field is the
 .Em encrypted
@@ -106,73 +129,66 @@ field is empty, no password will be required to gain access to the
 machine.  This is almost invariably a mistake.
 Because these files contain the encrypted user passwords, they should
 not be readable by anyone without appropriate privileges.
-Administrative accounts have a password field containing an asterisk
-.Ql \&*
-which disallows normal logins.
 .Pp
 The group field is the group that the user will be placed in upon login.
-Although this system supports multiple groups (see
+Since this system supports multiple groups (see
 .Xr groups 1 )
-this field indicates the user's primary group.
-Secondary group memberships are selected in
-.Pa /etc/group .
+this field currently has little special meaning.
 .Pp
 The
 .Ar class
-field is a key for a user's login class.
-Login classes are defined in
+field is a key for a user's login class. Login classes
+are defined in
 .Xr login.conf 5 ,
-which is a
+which is a 
 .Xr termcap 5
-style database of user attributes, accounting, resource and
-environment settings.
+style database of user attributes, accounting, resource,
+and environment settings.
 .Pp
 The
 .Ar change
-field is the number in seconds,
-.Dv GMT ,
-from the epoch, until the
+field is the number of seconds from the epoch,
+.Dv UTC ,
+until the
 password for the account must be changed.
-This field may be left empty or set to 0 to turn off the
-password aging feature.
+This field may be left empty to turn off the password aging feature.
 .Pp
 The
 .Ar expire
-field is the number in seconds,
-.Dv GMT ,
-from the epoch, until the
+field is the number of seconds from the epoch,
+.Dv UTC ,
+until the
 account expires.
-This field may be left empty or set to 0 to turn off the account
-aging feature.
+This field may be left empty to turn off the account aging feature.
 .Pp
 The
 .Ar gecos
-field normally contains comma
-.Pq Ql \&,
-separated subfields as follows:
+field normally contains comma (``,'') separated subfields as follows:
 .Pp
-.Bl -bullet -compact -offset indent
-.It
+.Bl -tag -width office -offset indent -compact
+.It name
 user's full name
-.It
-user's office location
-.It
+.It office
+user's office number
+.It wphone
 user's work phone number
-.It
+.It hphone
 user's home phone number
 .El
 .Pp
-This information is used by the
+The full name may contain a ampersand (``&'') which will be replaced by
+the capitalized login name when the gecos field is displayed or used
+by various programs such as
+.Xr finger 1 ,
+.Xr sendmail 8 ,
+etc.
+.Pp
+The office and phone number subfields are used by the
 .Xr finger 1
-program, and the first field used by the system mailer.
-If an ampersand
-.Pq Ql \&&
-character appears within the fullname field, programs that
-use this field will substitute it with a capitalized version
-of the account's login name.
+program, and possibly other applications.
 .Pp
 The user's home directory is the full
-.Tn UNIX
+.Ux
 path name where the user
 will be placed on login.
 .Pp
@@ -182,589 +198,119 @@ If there is nothing in the
 field, the Bourne shell
 .Pq Pa /bin/sh
 is assumed.
-For security reasons, if the shell is set to a script that disallows 
-access to the system (the
-.Xr nologin 8
-script, for example), care should be taken not to import any environment 
-variables.  With
-.Xr sh 1 ,
-this can be done by specifying the
-.Fl p
-flag.
-Check the specific shell documentation to determine how this is 
-done with other shells.
-.Sh YP/NIS INTERACTION
-.Ss Enabling access to NIS passwd data
-The system administrator can configure
-.Tn FreeBSD
-to use NIS/YP for
-its password information by adding special records to the
-.Pa /etc/master.passwd
-file.
-These entries should be added with
-.Xr vipw 8
-so that the changes can be properly merged with the hashed
-password databases and the
-.Pa /etc/passwd
-file (
-.Pa /etc/passwd
-should never be edited manually). Alternatively, the administrator
-can modify
-.Pa /etc/master.passwd
-in some other way and then manually update the password databases with
-.Xr pwd_mkdb 8 .
-.Pp
-The simplest way to activate NIS is to add an empty record
-with only a plus sign
-.Pq Ql \&+
-in the name field, such as this:
-.Bd -literal -offset indent
-+:::::::::
-
-.Ed
-The
-.Ql \&+
-will tell the
-.Xr getpwent 3
-routines in
-.Tn FreeBSD Ns 's
-standard C library to begin using the NIS passwd maps
-for lookups.
-.Pp
-Note that the entry shown above is known as a
-.Em wildcard
-entry, because it matches all users (the
-.Ql \&+
-without any other information
-matches everybody) and allows all NIS password data to be retrieved
-unaltered.
-However, by
-specifying a username or netgroup next to the
-.Ql \&+
-in the NIS
-entry, the administrator can affect what data are extracted from the
-NIS passwd maps and how it is interpreted.
-Here are a few example
-records that illustrate this feature (note that you can have several
-NIS entries in a single
-.Pa master.passwd
-file):
-.Bd -literal -offset indent
--mitnick:::::::::
-+@staff:::::::::
-+@permitted-users:::::::::
-+dennis:::::::::
-+ken:::::::::/bin/csh
-+@rejected-users::32767:32767::::::/bin/false
-
-.Ed
-Specific usernames are listed explicitly while netgroups are signified
-by a preceding
-.Ql \&@ .
-In the above example, users in the
-.Dq staff
-and
-.Dq permitted-users
-netgroups will have their password information
-read from NIS and used unaltered.
-In other words, they will be allowed
-normal access to the machine.
-Users
-.Dq ken
-and
-.Dq dennis ,
-who have
-been named explicitly rather than through a netgroup, will also have
-their password data read from NIS,
-.Em except
-that user
-.Dq ken
-will have his shell remapped to
-.Pa /bin/csh .
-This means that value for his shell specified in the NIS password map
-will be overridden by the value specified in the special NIS entry in
-the local
-.Pa master.passwd
-file.
-User
-.Dq ken
-may have been assigned the csh shell because his
-NIS password entry specified a different shell that may not be
-installed on the client machine for political or technical reasons.
-Meanwhile, users in the
-.Dq rejected-users
-netgroup are prevented
-from logging in because their UIDs, GIDs and shells have been overridden
-with invalid values.
-.Pp
-User
-.Dq mitnick
-will be be ignored entirely because his entry is
-specified with a
-.Ql \&-
-instead of a
-.Ql \&+ .
-A minus entry can be used
-to block out certain NIS password entries completely; users whose
-password data has been excluded in this way are not recognized by
-the system at all.
-(Any overrides specified with minus entries are
-also ignored since there is no point in processing override information
-for a user that the system isn't going to recognize in the first place.)
-In general, a minus entry is used to specifically exclude a user
-who might otherwise be granted access because he happens to be a
-member of an authorized netgroup.
-For example, if
-.Dq mitnick
-is
-a member of the
-.Dq permitted-users
-netgroup and must, for whatever
-the reason, be permitted to remain in that netgroup (possibly to
-retain access to other machines within the domain), the administrator
-can still deny him access to a particular system with a minus entry.
-Also, it is sometimes easier to explicitly list those users who are not
-allowed access rather than generate a possibly complicated list of
-users who are allowed access and omit the rest.
-.Pp
-Note that the plus and minus entries are evaluated in order from
-first to last with the first match taking precedence.
-This means
-the system will only use the first entry that matches a particular user.
-If, using the same example, there is a user
-.Dq foo
-who is a member of both the
-.Dq staff
-netgroup and the
-.Dq rejected-users
-netgroup, he will be admitted to
-the system because the above example lists the entry for
-.Dq staff
-before the entry for
-.Dq rejected-users .
-If the order were reversed,
-user
-.Dq foo
-would be flagged as a
-.Dq rejected-user
-instead and denied access.
-.Pp
-Lastly, any NIS password database records that do not match against
-at least one of the users or netgroups specified by the NIS access
-entries in the
-.Pa /etc/master.passwd
-file will be ignored (along with any users specified using minus
-entries). In our example shown above, we do not have a wildcard
-entry at the end of the list; therefore, the system will not recognize
-anyone except
-.Dq ken ,
-.Dq dennis ,
-the
-.Dq staff
-netgroup, and the
-.Dq permitted-users
-netgroup as authorized users.
-The
-.Dq rejected-users
-netgroup will
-be recognized but all members will have their shells remapped and
-therefore be denied access.
-All other NIS password records
-will be ignored.
-The administrator may add a wildcard entry to the
-end of the list such as:
-.Bd -literal -offset indent
-+:::::::::/sbin/nologin
-
-.Ed
-This entry acts as a catch-all for all users that don't match against
-any of the other entries.
-This technique is sometimes useful when it is
-desirable to have the system be able to recognize all users in a
-particular NIS domain without necessarily granting them login access.
-See the description of the shell field regarding security concerns when using
-a shell script as the login shell.
-.Pp
-The primary use of this
-.Pa override
-feature is to permit the administrator
-to enforce access restrictions on NIS client systems.
-Users can be
-granted access to one group of machines and denied access to other
-machines simply by adding or removing them from a particular netgroup.
-Since the netgroup database can also be accessed via NIS, this allows
-access restrictions to be administered from a single location, namely
-the NIS master server; once a host's access list has been set in
-.Pa /etc/master.passwd ,
-it need not be modified again unless new netgroups are created.
-.Sh NOTES
-.Ss Shadow passwords through NIS
-.Tn FreeBSD
-uses a shadow password scheme: users' encrypted passwords
-are stored only in
-.Pa /etc/master.passwd
-and
-.Pa /etc/spwd.db ,
-which are readable and writable only by the superuser.
-This is done
-to prevent users from running the encrypted passwords through
-password-guessing programs and gaining unauthorized access to
-other users' accounts.
-NIS does not support a standard means of
-password shadowing, which implies that placing your password data
-into the NIS passwd maps totally defeats the security of
-.Tn FreeBSD Ns 's
-password shadowing system.
-.Pp
-.Tn FreeBSD
-provides a few special features to help get around this
-problem.
-It is possible to implement password shadowing between
-.Tn FreeBSD
-NIS clients and
-.Tn FreeBSD
-NIS servers.
-The
-.Xr getpwent 3
-routines will search for a
-.Pa master.passwd.byname
-and
-.Pa master.passwd.byuid
-maps which should contain the same data found in the
-.Pa /etc/master.passwd
-file.
-If the maps exist,
-.Tn FreeBSD
-will attempt to use them for user
-authentication instead of the standard
-.Pa passwd.byname
-and
-.Pa passwd.byuid
-maps.
-.Tn FreeBSD Ns 's
-.Xr ypserv 8
-will also check client requests to make sure they originate on a
-privileged port.
-Since only the superuser is allowed to bind to
-a privileged port, the server can tell if the requesting user
-is the superuser; all requests from non-privileged users to access
-the
-.Pa master.passwd
-maps will be refused.
-Since all user authentication programs run
-with superuser privilege, they should have the required access to
-users' encrypted password data while normal users will only
-be allowed access to the standard
-.Pa passwd
-maps which contain no password information.
-.Pp
-Note that this feature cannot be used in an environment with
-.No non- Ns Tn FreeBSD
-systems.
-Note also that a truly determined user with
-unrestricted access to your network could still compromise the
-.Pa master.passwd
+.Sh HESIOD SUPPORT
+If
+.Sq dns
+is specified for the
+.Sq passwd
+database in
+.Xr nsswitch.conf 5 ,
+then
+.Nm
+lookups occur from the
+.Sq passwd
+Hesiod domain.
+.Sh NIS SUPPORT
+If
+.Sq nis
+is specified for the
+.Sq passwd
+database in
+.Xr nsswitch.conf 5 ,
+then
+.Nm
+lookups occur from the
+.Sq passwd.byname ,
+.Sq passwd.byuid ,
+.Sq master.passwd.byname ,
+and 
+.Sq master.passwd.byuid
+.Tn NIS
 maps.
-.Ss UID and GID remapping with NIS overrides
-Unlike
-.Tn SunOS
-and other operating systems that use Sun's NIS code,
-.Tn FreeBSD
-allows the user to override
-.Pa all
-of the fields in a user's NIS
-.Pa passwd
-entry.
-For example, consider the following
-.Pa /etc/master.passwd
-entry:
-.Bd -literal -offset indent
-+@foo-users:???:666:666:0:0:0:Bogus user:/home/bogus:/bin/bogus
-
-.Ed
-This entry will cause all users in the `foo-users' netgroup to
-have
-.Pa all
-of their password information overridden, including UIDs,
-GIDs and passwords.
-The result is that all `foo-users' will be
-locked out of the system, since their passwords will be remapped
-to invalid values.
-.Pp
-This is important to remember because most people are accustomed to
-using an NIS wildcard entry that looks like this:
-.Bd -literal -offset indent
-+:*:0:0:::
-
-.Ed
-This often leads to new
-.Tn FreeBSD
-administrators choosing NIS entries for their
-.Pa master.passwd
-files that look like this:
-.Bd -literal -offset indent
-+:*:0:0::::::
-
-.Ed
-Or worse, this
-.Bd -literal -offset indent
-+::0:0::::::
-
-.Ed
-.Sy DO _NOT_ PUT ENTRIES LIKE THIS IN YOUR
-.Sy Pa master.passwd
-.Sy FILE!!
-The first tells
-.Tn FreeBSD
-to remap all passwords to
-.Ql \&*
-(which
-will prevent anybody from logging in) and to remap all UIDs and GIDs
-to 0 (which will make everybody appear to be the superuser). The
-second case just maps all UIDs and GIDs to 0, which means that
-all users will appear to be root!
-.Pp
-.Ss Compatibility of NIS override evaluation
-When Sun originally added NIS support to their
-.Xr getpwent 3
-routines, they took into account the fact that the
-.Tn SunOS
-password
-.Pa /etc/passwd
-file is in plain
-.Tn ASCII
-format.
-The
-.Tn SunOS
-documentation claims that
-adding a 
-.Ql \&+
-entry to the password file causes the contents of
-the NIS password database to be
-.Dq inserted
-at the position in the file where the
-.Ql \&+
-entry appears.
-If, for example, the
-administrator places a
-.Ql \&+::::::
-entry in the middle of
-.Pa /etc/passwd ,
-then the entire contents of the NIS password map would appear
-as though it had been copied into the middle of the password
-file.
-If the administrator places
-.Ql \&+::::::
-entries at both the middle and the end of
-.Pa /etc/passwd ,
-then the NIS password map would appear twice: once in the middle
-of the file and once at the end.
-(By using override entries
-instead of simple wildcards, other combinations could be achieved.)
-.Pp
-By contrast,
-.Fx
-does not have a single
-.Tn ASCII
-password file: it
-has a hashed password database.
-This database does not have an
-easily-defined beginning, middle or end, which makes it very hard
-to design a scheme that is 100% compatible with
-.Tn SunOS .
-For example,
-the
-.Fn getpwnam
-and
-.Fn getpwuid
-functions in
-.Tn FreeBSD
-are designed to do direct queries to the
-hash database rather than a linear search.
-This approach is faster
-on systems where the password database is large.
-However, when
-using direct database queries, the system does not know or care
-about the order of the original password file, and therefore
-it cannot easily apply the same override logic used by
-.Tn SunOS .
+.Sh COMPAT SUPPORT
+If
+.Sq compat
+is specified for the
+.Sq passwd
+database, and either
+.Sq dns
+or
+.Sq nis
+is specified for the
+.Sq passwd_compat
+database in
+.Xr nsswitch.conf 5 ,
+then the
+.Nm
+file also supports standard
+.Sq +/-
+exclusions and inclusions, based on user names and netgroups.
 .Pp
-Instead,
-.Tn FreeBSD
-groups all the NIS override entries together
-and constructs a filter out of them.
-Each NIS password entry
-is compared against the override filter exactly once and 
-treated accordingly: if the filter allows the entry through
-unaltered, it's treated unaltered; if the filter calls for remapping
-of fields, then fields are remapped; if the filter calls for
-explicit exclusion (i.e., the entry matches a
-.Ql \&-
-override), the entry is ignored; if the entry doesn't match against any
-of the filter specifications, it's discarded.
+Lines beginning with a ``-'' (minus sign) are entries marked as being excluded
+from any following inclusions, which are marked with a ``+'' (plus sign).
 .Pp
-Again, note that the NIS
-.Ql \&+
-and
-.Ql \&-
-entries themselves are handled in the order in which they were specified
-in the
-.Pa /etc/master.passwd
-file, since doing otherwise would lead to unpredictable behavior.
+If the second character of the line is a ``@'' (at sign), the operation
+involves the user fields of all entries in the netgroup specified by the
+remaining characters of the
+.Ar name
+field.
+Otherwise, the remainder of the
+.Ar name
+field is assumed to be a specific user name.
 .Pp
-The end result is that
-.Tn FreeBSD Ns 's
-provides a very close approximation
-of
-.Tn SunOS Ns 's
-behavior while maintaining the database paradigm, though the
-.Xr getpwent 3
-functions do behave somewhat differently from their
-.Tn SunOS
-counterparts.
-The primary differences are:
-.Bl -bullet -offset indent
-.It
-Each NIS password map record can be mapped into the password
-local password space only once.
-.It
-The placement of the NIS
-.Ql \&+
+The ``+'' token may also be alone in the
+.Ar name
+field, which causes all users from either the Hesiod domain
+.Nm
+(with
+.Sq passwd_compat: dns )
+or
+.Sq passwd.byname
 and
-.Ql \&-
-entries does not necessarily
-affect where NIS password records will be mapped into
-the password space.
-.El
-.Pp
-In 99% of all
-.Tn FreeBSD
-configurations, NIS client behavior will be
-indistinguishable from that of
-.Tn SunOS
-or other similar systems.
-Even
-so, users should be aware of these architectural differences.
+.Sq passwd.byuid
+.Tn NIS
+maps (with
+.Sq passwd_compat: nis )
+to be included.
 .Pp
-.Ss Using groups instead of netgroups for NIS overrides
-.Tn FreeBSD
-offers the capability to do override matching based on
-user groups rather than netgroups.
-If, for example, an NIS entry
-is specified as:
-.Bd -literal -offset indent
-+@operator:::::::::
-
-.Ed
-the system will first try to match users against a netgroup called
-.Ql operator .
-If an
-.Ql operator
-netgroup doesn't exist, the system
-will try to match users against the normal
-.Ql operator
-group instead. 
-.Ss Changes in behavior from older versions of FreeBSD
-There have been several bug fixes and improvements in
-.Tn FreeBSD Ns 's
-NIS/YP handling, some of which have caused changes in behavior.
-While the behavior changes are generally positive, it is important
-that users and system administrators be aware of them:
-.Bl -enum -offset indent
-.It
-In versions prior to 2.0.5, reverse lookups (i.e. using
-.Fn getpwuid )
-would not have overrides applied, which is to say that it
-was possible for
-.Fn getpwuid
-to return a login name that
-.Fn getpwnam
-would not recognize.
-This has been fixed: overrides specified
-in
-.Pa /etc/master.passwd
-now apply to all
-.Xr getpwent 3
-functions.
-.It
-Prior to
-.Fx 2.0.5 ,
-netgroup overrides did not work at
-all, largely because
-.Tn FreeBSD
-did not have support for reading
-netgroups through NIS.
-Again, this has been fixed, and
-netgroups can be specified just as in
-.Tn SunOS
-and similar NIS-capable
-systems.
-.It
-.Tn FreeBSD
-now has NIS server capabilities and supports the use
-of
-.Pa master.passwd
-NIS maps in addition to the standard Sixth Edition format
-.Pa passwd
-maps.
-This means that you can specify change, expiration and class
-information through NIS, provided you use a
-.Tn FreeBSD
-system as
-the NIS server.
-.El
-.Sh FILES
-.Bl -tag -width /etc/master.passwd -compact
-.It Pa /etc/passwd
-.Tn ASCII
-password file, with passwords removed
-.It Pa /etc/pwd.db
-.Xr db 3 -format
-password database, with passwords removed
-.It Pa /etc/master.passwd
-.Tn ASCII
-password file, with passwords intact
-.It Pa /etc/spwd.db
-.Xr db 3 -format
-password database, with passwords intact
-.El
+If the entry contains non-empty
+.Ar uid
+or
+.Ar gid
+fields, the specified numbers will override the information retrieved
+from the Hesiod domain or the
+.Tn NIS
+maps. As well, if the
+.Ar gecos,
+.Ar dir
+or
+.Ar shell
+entries contain text, it will override the information included via
+Hesiod or
+.Tn NIS .
+On some systems, the
+.Ar passwd
+field may also be overridden.
 .Sh SEE ALSO
 .Xr chpass 1 ,
 .Xr login 1 ,
 .Xr passwd 1 ,
 .Xr getpwent 3 ,
-.Xr login_getclass 3 ,
-.Xr yp 4 ,
-.Xr login.conf 5 ,
+.Xr netgroup 5 ,
 .Xr adduser 8 ,
-.Xr pw 8 ,
 .Xr pwd_mkdb 8 ,
-.Xr vipw 8
+.Xr vipw 8 ,
+.Xr yp 8
+.Pp
+.%T "Managing NFS and NIS"
+(O'Reilly & Associates)
 .Sh BUGS
 User information should (and eventually will) be stored elsewhere.
 .Pp
-The YP/NIS password database makes encrypted passwords visible to
-ordinary users, thus making password cracking easier unless you use
-shadow passwords with the
-.Pa master.passwd
-maps and
-.Tn FreeBSD Ns 's
-.Xr ypserv 8
-server.
-.Pp
-Unless you're using
-.Tn FreeBSD Ns 's
-.Xr ypserv 8 ,
-which supports the use of
-.Pa master.passwd
-type maps,
-the YP/NIS password database will be in old-style (Sixth Edition) format,
-which means that site-wide values for user login class, password
-expiration date, and other fields present in the current format
-will not be available when a
-.Tn FreeBSD
-system is used as a client with
-a standard NIS server.
+Placing
+Sq compat
+exclusions in the file after any inclusions will have
+unexpected results.
 .Sh COMPATIBILITY
 The password file format has changed since
 .Bx 4.3 .
@@ -776,10 +322,9 @@ The additional fields
 and
 .Dq expire
 are added, but are turned off by default.
-These fields can then be set using
-.Xr vipw 8
-or
-.Xr pw 8 .
+Class is currently not implemented, but change and expire are; to set them,
+use the current day in seconds from the epoch + whatever number of seconds
+of offset you want.
 .Bd -literal -offset indent
 BEGIN { FS = ":"}
 { print $1 ":" $2 ":" $3 ":" $4 "::0:0:" $5 ":" $6 ":" $7 }
@@ -789,14 +334,15 @@ A
 .Nm
 file format appeared in
 .At v6 .
-The YP/NIS functionality is modeled after
-.Tn SunOS
-and first appeared in
-.Fx 1.1
-The override capability is new in
-.Fx 2.0 .
-The override capability was updated to properly support netgroups
-in
-.Fx 2.0.5 .
-Support for comments first appeared in
-.Fx 3.0 .
+.Pp
+The
+.Tn NIS
+.Nm
+file format first appeared in SunOS.
+.Pp
+The Hesiod support first appeared in
+.Fx 4.1 .
+It was imported from the 
+.Nx
+Project, where it first appeared in
+.Nx 1.4 .
diff --git a/share/man/man8/yp.8 b/share/man/man8/yp.8
index dda8944..3ceab06 100644
--- a/share/man/man8/yp.8
+++ b/share/man/man8/yp.8
@@ -57,14 +57,8 @@ daemon makes direct
 library calls since there are no
 functions in the standard C library for reading bootparams.
 .Tn NIS
-support for the hosts, services and rpc databases is enabled by
-uncommenting the
-.Em nis
-line in
-.Pa /etc/host.conf .
-.Tn NIS
-support for the remaining services is
-activated by adding a special '+' entry to the appropriate file.
+support is enabled in 
+.Xr nsswitch.conf .
 .Pp
 The
 .Nm YP