This is the mail archive of the
libc-help@sourceware.org
mailing list for the glibc project.
how to stop nss from using all services to find secondary groups?
- From: Mike Coleman <tutufan at gmail dot com>
- To: libc-help at sourceware dot org
- Date: Tue, 8 Dec 2009 10:44:20 -0600
- Subject: how to stop nss from using all services to find secondary groups?
Hi,
I have a box that uses winbind for most accounts, but I'm trying to
create a setup where for local users (those defined in /etc/passwd),
winbind is wholly ignored. I seem to have a good PAM config for this,
and I have 'files' in front of 'winbind' everywhere in
/etc/nsswitch.conf, but local users are still picking up some
secondary groups from winbind.
My theory on this is that when login/su/whatever is trying to decide
what secondary groups to set, it has the primary uid and gid in hand,
and their names, and basically ends up walking the group databases
(/etc/group and winbind's version) looking for all occurrences of the
username in question. If this is so, *all* users end up with a list
of secondary groups that's more or less a *union* of whatever is
listed in all group databases.
Is this theory correct? Is there any way for me to get what I really
want, which is that for local users, secondary groups will be
determined entirely by the contents of /etc/group?
Thanks,
Mike