Version 2 (modified by jdreed, 9 years ago) (diff)


Full nss_nonlocal documentation is at

tl;dr nss_nonlocal ensures that NSS sources not on your machine ("non local", e.g. Hesiod) don't take precedence over local ones.

NSS_NONLOCAL_IGNORE=ignore means that nonlocal users will be deemed not to exist at all while that variable is set. We currently do this in adduser, dpkg, and a few other places. We do it in dpkg, because e.g. a package might want to add a 'www' user, so it will first run 'getent' to see if the user exists. Without NSS_NONLOCAL_IGNORE, it would see the Hesiod user of that name, and make all sorts of incorrect assumptions.

Seee #627 for an example of an unusual screw case.