This is nss_nonlocal, an nsswitch module that acts as a proxy for other nsswitch modules like hesiod, but prevents non-local users from potentially gaining local privileges by spoofing local UIDs and GIDs. To use it, configure /etc/nsswitch.conf as follows: passwd: compat nonlocal passwd_nonlocal: hesiod group: compat nonlocal group_nonlocal: hesiod