On 04/11/2013 09:10 AM, Stephen Gallagher wrote:
Ok, that definitely is showing where the problem lies. This strongly
suggests to me that you have a user in your LDAP with the same name as
on your local system. What's most likely happening is that the
initgroups() call internally is walking through and processing all of
the potential groups that username belongs to.
Can you check whether
getent -s sss passwd<localuser>
Returns anything? If it does, you have an overlap and should probably
resolve it on one side or the other.
Hmm, that command returns nothing on either system. And it still leaves
the question of why pam_unix.so isn't catching the local account before
pam_sss.so is invoked at all.