Ooops : you are right. I have written in nsswitch.conf : group: sss files instead of group: files sss And I obtain ( more or less) what I want. Thanks ! --- Olivier 2012/3/13 Stef Bon : > Isn't this a nss question, and not PAM? > > Stef > > 2012/3/13 bloguillard <blog@xxxxxxxxxxxxxxx>: >> Hello, >> >> I have configure a redhat box to authenticate users over an >> openldap server. "Systems" account ( uid > 500 ) are not >> created in ldap but are authentified over local password db. >> >> system-auth : >> ... >> auth required pam_env.so >> auth sufficient pam_unix.so nullok try_first_pass >> auth requisite pam_succeed_if.so uid >= 500 quiet >> auth sufficient pam_sss.so use_first_pass >> auth required pam_deny.so >> ... >> >> My ldap directory also contains posixgroups. >> >> I noticed that if I configure locally a system account to use >> an ldap GID, then the user is properly registered as a member >> of this group as well as any other groups it would be member >> of locally ( declared in /etc/group ). >> >> But if I declare in local /etc/passwd a local group as being the >> primary group for that user, then the user is not registered as being >> member of any ldap group it would be "subscribed" to. >> >> QUESTION : is there anyway to configure pam to say that the >> user group list includes ldap groups the user is member of >> as well as local groups, even if the primary group of that user >> is local ? >> >> Thanks >> >> --- >> Olivier >> >> _______________________________________________ >> Pam-list mailing list >> Pam-list@xxxxxxxxxx >> https://www.redhat.com/mailman/listinfo/pam-list > > _______________________________________________ > Pam-list mailing list > Pam-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/pam-list _______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list