The file /etc/nsswitch.conf defines the order of NSS modules used to do lookups in NSS maps. Strictly speaking lookups in the passwd map are not used for authentication, only for checking the existence of a user trying to login.

Password authentication is done via the PAM stack configured in /etc/pam.d for earch service using PAM.

• For local users the PAM module pam_unix.so does a NSS lookup in the shadow map to get the hashed password and check the user's password against this.
• For remote LDAP users the shadow map should not be used. For example sssd sends a LDAP simple bind request to let the LDAP server check the user's password remotely. It does not query password hashes.

So to find out the order of PAM authc modules used you have to examime the files in directory /etc/pam.d. Most Linux systems today have common include files they use for every service such as /etc/pam.d/common-auth, most times a symlink to common-auth-pc created by tool pam-config.

The file /etc/nsswitch.conf defines the order of NSS modules used to do lookups in NSS maps. Strictly speaking lookups in the passwd map are not used for authentication, only for checking the existence of a user trying to login.

Password authentication is done via the PAM stack configured in /etc/pam.d for earch service using PAM.

• For local users the PAM module pam_unix.so does a NSS lookup in the shadow map to get the hashed password and check the user's password against this.
• For remote LDAP users the shadow map should not be used. For example sssd sends a LDAP simple bind request to let the LDAP server check the user's password remotely. It does not query password hashes.

So to find out the order of PAM authc modules used you have to examime the files in directory /etc/pam.d. Most Linux systems today have common include files they use for every service such as /etc/pam.d/common-auth, most times a symlink to common-auth-pc created by tool pam-config.