Package: libc6 Version: 2.3.6-7 with nsswitch.conf set to
passwd: files ldap group: files ldap shadow: files ldap When looking up groups for which a user is a member, libc searches both files and ldap, even if the user is present in files. This is contrary to what is stated in the manpage. success No error occurred and the wanted entry is returned. The default action for this is ‘return’. In addition even if the return is added explicitly: passwd: files [SUCCESS=return] ldap group: files [SUCCESS=return] ldap shadow: files [SUCCESS=return] ldap both files and ldap are still searched: test program: #include <stdio.h> #include <stdlib.h> #include <string.h> #include <grp.h> #include <pwd.h> int main(int argc, char *argv[]) { int i, ng = 0; int length; char *user; gid_t *groups = NULL; if(argc != 2) { printf("Usage: grouptest username\n"); exit(1); } length = strlen(argv[1]) + 1; user = (char *) malloc(length); if (user == NULL) { printf("Error on malloc"); exit(1); } strcpy(user,argv[1]); printf("%s groups:\n",user); struct passwd *pw = getpwnam(user); if (pw == NULL) return 0; if (getgrouplist(user, pw->pw_gid, NULL, &ng) < 0) { groups = (gid_t *) malloc(ng * sizeof (gid_t)); getgrouplist(user, pw->pw_gid, groups, &ng); } for(i = 0; i < ng; i++) printf("%d\n", groups[i]); return 0; } doing an strace on the above program when searching for a user in /etc/passwd shows ldap being searched, with or without [SUCCESS=return] in nsswitch.conf. Changing nsswitch to [UNAVAIL=return] disables ldap lookups for all requests even if the user is not in /etc/passwd. -Jesse