Bret On 05/22/2014 01:06 PM, Simo Sorce wrote:
On Thu, 2014-05-22 at 12:47 -0400, Bret Wortman wrote:If this line is in /etc/nsswitch.conf: passwd: files sss Why would the user account from IPA get used when an identical one exists in /etc/passwd? We can tell because of some additional groups granted when authentication comes from IPA. If I shut down sssd, then login proceeds through /etc/passwd as expected, but as soon as I restart sssd, this behavior starts again. It's almost as if nsswitch.conf is being ignored or read right-to-left. Just another oddity I uncovered on one system as I was troubleshooting a particularly long "ssh localhost" and trying to rule things out.The initgroups call (done at authentication to find what groups a user is member of) by default traverses all databases, so if the same username is found in multiple databases the groups are added as well. There is actually a way to change this behavior, although it usually causes more issue than it resolves. You could try with: initgroups: files sss Simo.
Description: S/MIME Cryptographic Signature
_______________________________________________ Freeipa-users mailing list Freeipaemail@example.com https://www.redhat.com/mailman/listinfo/freeipa-users