> The nsswitch.conf looks fine. I'd look into the ordering of the pam stack. When initializing a "passwd" user's groups it is likely that LDAP is still being consulted for memberships as long as nsswitch.conf has "group: files ldap". Group memberships aren't necessarily limited to a single repository or the repository the user resolved from.