On Thu, 28 Apr 2011, Mattias Geniar wrote: >> Did you include nss_initgroups_ignoreuser in your /etc/ldap.conf? >> >> nss_initgroups_ignoreusers root,ldap >> >> Brgds > > Hi Benjamin, > > I tried that, but that just makes it hang upon the next service trying > to start (in our case: a zabbix monitoring daemon running as > zabbix/zabbix). > > It works, if I include the entire list of all "local" users/groups that > can be ignored. However, that's not feasible when doing mass-deploys on > varied systems. > > If there's a way to simply say "ignore all users with UID's < 500" that > could be a work-around I can live with, but it doesn't appear there is. I'd hope you'd see these problems almost entirely go away in future with a switch to sssd rather than nss_ldap, as it makes the whole process a lot more stateful and aware of what's going on. Having an rc.local that does an nsswitch.conf twiddle is probably a viciously robust way of dealing with this problem... jh