Bug 156945

Summary: [nsswitch.conf] Name service Switch does not work as documented for group
Product: Base System Reporter: wynkoop
Component: confAssignee: freebsd-bugs (Nobody) <bugs>
Status: Open ---    
Severity: Affects Only Me    
Priority: Normal    
Version: Unspecified   
Hardware: Any   
OS: Any   

Description wynkoop 2011-05-11 03:40:02 UTC 
I first observed this issue in FreeBSD 5, so this pertains to FreeBSD 5.x - 8.2
and probably into HEAD.

group does not honor the behavior documented in the nsswitch.conf man page.

In specific:

group: files ldap

only files is ever consulted

group: ldap files

only /etc/group is ever consulted

group: files [notfound=continue] ldap

only /etc/group is consulted

group: ldap [notfound=continue] files

only ldap is consulted

passwd seems to behave as documented with relation to nsswitch.conf settings.
I believe that someone needs to look at the code pertaining to groups in
what ever library nsswitch.conf is called from.  This issue will effect
anyone using groups from ldap, nis, or hessiod with the programs su or sudo.

Fix: 

The same sort of code that is used with respect to passwd and hosts needs to be inserted into the libraries that deal with group and nsswitch.conf.
How-To-Repeat: Put a user in group wheel on your ldap server or nis server or hesiod server,
but not in group wheel on the local system and with the following entry
in nsswitch.conf

group: files ldap

Then attempt to run su.  You can also look at the output of
   getent group wheel
Comment 1 Eitan Adler freebsd_committer freebsd_triage 2017-12-31 07:59:37 UTC 
For bugs matching the following criteria:

Status: In Progress Changed: (is less than) 2014-06-01

Reset to default assignee and clear in-progress tags.

Mail being skipped