[Freeipa-users] Why would /etc/passwd get skipped?
Simo Sorce
simo at redhat.com
Thu May 22 17:06:17 UTC 2014
On Thu, 2014-05-22 at 12:47 -0400, Bret Wortman wrote:
> If this line is in /etc/nsswitch.conf:
>
> passwd: files sss
>
> Why would the user account from IPA get used when an identical one
> exists in /etc/passwd? We can tell because of some additional groups
> granted when authentication comes from IPA.
>
> If I shut down sssd, then login proceeds through /etc/passwd as
> expected, but as soon as I restart sssd, this behavior starts again.
> It's almost as if nsswitch.conf is being ignored or read
> right-to-left.
>
> Just another oddity I uncovered on one system as I was troubleshooting
> a
> particularly long "ssh localhost" and trying to rule things out.
>
The initgroups call (done at authentication to find what groups a user
is member of) by default traverses all databases, so if the same
username is found in multiple databases the groups are added as well.
There is actually a way to change this behavior, although it usually
causes more issue than it resolves.
You could try with: initgroups: files sss
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-users
mailing list