On Thu, 2013-04-11 at 09:44 -0400, Sutton, Harry (GSSE) wrote:
On 04/11/2013 09:10 AM, Stephen Gallagher wrote:
> Ok, that definitely is showing where the problem lies. This strongly
> suggests to me that you have a user in your LDAP with the same name as
> on your local system. What's most likely happening is that the
> initgroups() call internally is walking through and processing all of
> the potential groups that username belongs to.
> Can you check whether
> getent -s sss passwd<localuser>
> Returns anything? If it does, you have an overlap and should probably
> resolve it on one side or the other.
Hmm, that command returns nothing on either system. And it still leaves
the question of why pam_unix.so isn't catching the local account before
pam_sss.so is invoked at all.
Because the PAM stack is completely separate from the NSS stack,
although we suggest people to not do this normally you can use an option
in nsswitch.conf to avoid falling through NSS modules during the
initgroups call to avoid paying the penalty for local users.
The option is called 'initgroupss', where you can list files and sss as
Note that we normally *do not* recommend this option, here is a
discussion of the why:
Simo Sorce * Red Hat, Inc * New York