Using RHEL System Security Services (SSS) as an example.
When /etc/nsswitch.conf is configured as follows
passwd: files vas4 sss
Local users can logon, QAS users can logon but SSS users cannot logon.
Users who are not local or QAS enabled but are SSS enabled are unable to authenticate.
For QAS 4.0.3.x
Upgrade to QAS 18.104.22.168 of greater.
For QAS 4.1.x
Upgrade to QAS 4.1.21770
For both versions of QAS the following lines may have to be commented out in “password-auth-ac”
auth requisite pam_vas3.so echo_return
account requisite pam_vas3.so echo_return
password requisite pam_vas3.so echo_return
session requisite pam_vas3.so echo_return
By having these commented out it allows the password to be passed on from QAS for SSS users otherwise the password would be removed from the stack preventing SSS enabled users from authenticating.
Change the order in /etc/nsswitch.conf for the database search by putting VAS4 last
passwd: files sss vas4
Local users can logon, SSS users can logon and QAS users can logon.