On Thu, 2013-04-11 at 10:22 -0400, Sutton, Harry (GSSE) wrote:
On 04/11/2013 09:55 AM, Simo Sorce wrote:
>
> Because the PAM stack is completely separate from the NSS stack,
> although we suggest people to not do this normally you can use an option
> in nsswitch.conf to avoid falling through NSS modules during the
> initgroups call to avoid paying the penalty for local users.
>
> The option is called 'initgroupss', where you can list files and sss as
> databases.
>
> Note that we normally *do not* recommend this option, here is a
> discussion of the why:
>
https://bugzilla.redhat.com/show_bug.cgi?id=835612
>
> Simo.
>
Thanks, that works as a workaround. If I can get an answer to my earlier
question about sss_aduser in a LOCAL domain I'll consider migrating
completely to sssd for local and domain logins, at which point I can
remove this modification to nsswitch.
Any reason why you need a local user at all ? (Just curious)
Simo.
--
Simo Sorce * Red Hat, Inc * New York