On Thu, Apr 11, 2013 at 10:22:30AM -0400, Sutton, Harry (GSSE) wrote:
On 04/11/2013 09:55 AM, Simo Sorce wrote:
>
>Because the PAM stack is completely separate from the NSS stack,
>although we suggest people to not do this normally you can use an option
>in nsswitch.conf to avoid falling through NSS modules during the
>initgroups call to avoid paying the penalty for local users.
>
>The option is called 'initgroupss', where you can list files and sss as
>databases.
>
>Note that we normally *do not* recommend this option, here is a
>discussion of the why:
>https://bugzilla.redhat.com/show_bug.cgi?id=835612
>
>Simo.
>
Thanks, that works as a workaround. If I can get an answer to my
earlier question about sss_aduser in a LOCAL domain I'll consider
migrating completely to sssd for local and domain logins, at which
point I can remove this modification to nsswitch.
Can you remind me what that problem was? Were you getting some kind of
transaction error?
Can you run the tool with:
sss_useradd --debug-level 10
?