Sysadm records

sssd and login

nsswitch.conf - group

Summery

If a user needs both local group and remote group, nsswitch group field could be configured as below

group:      files sss # /etc/groups + groups from sssd

or

group:      files [SUCCESS=merge] sss # Specifiy an action

if a user only need sssd group, it could be configured like this

group:     sss       // no files

Explanation:

Based on man page:

The first column is the database name. The remaining columns
specify:

  • One or more service specifications, for example, "files",
    "db", or "nis". The order of the services on the line
    determines the order in which those services will be queried,
    in turn, until a result is found.
  • Optional actions to perform if a particular result is obtained
    from the preceding service, for example, "[NOTFOUND=return]".

Simply to say, name services will follow the order to query.

group:      files sss

above configuration means asking /etc/group first for groups, then asking sssd after that.

Based on the man page of STATUS

success:
No error occurred and the requested entry is returned.
The default action for this condition is "return".

group query might be stopped after searching /etc/group.
If this happens, use [SUCCESS=merge] when you plan to have 2 groups for 1 user.

In my Ubuntu bionic, it works without set [SUCCESS=merge].
I guess default option is merge, but not verified.

Trace PAM with strace