On 04/11/2013 09:55 AM, Simo Sorce wrote:
Because the PAM stack is completely separate from the NSS stack,
although we suggest people to not do this normally you can use an option
in nsswitch.conf to avoid falling through NSS modules during the
initgroups call to avoid paying the penalty for local users.
The option is called 'initgroupss', where you can list files and sss as
databases.
Note that we normally *do not* recommend this option, here is a
discussion of the why:
https://bugzilla.redhat.com/show_bug.cgi?id=835612
Simo.
Thanks, that works as a workaround. If I can get an answer to my earlier
question about sss_aduser in a LOCAL domain I'll consider migrating
completely to sssd for local and domain logins, at which point I can
remove this modification to nsswitch.
/Harry