If I execute
sudo getent shadow
I see password hashes for all the local users who have them. For most of the LDAP accounts I only see * in the password field. However, for a few LDAP users, I see password hashes. I have verified that they don't have local accounts (i.e. no entry in /etc/passwd but getent passwd username returns a line).
In fact, logged in as myself, my user entry is one of the ones with an *.
There is a single LDAP server running OpenLDAP with a single group of accounts (one branch in the tree).
The LDAP-client servers are running nscd and libnss-ldap.
This is a portion of /etc/nsswitch.conf on the LDAP-client servers:
passwd: files ldap
group: files ldap
shadow: files ldap
LDAP is used to authenticate the user for login to the LDAP-client server in this case and at some point the authentication mechanism, PAM in this case, must check a hash of the password provided by the user at login against the stored hash which is contained in the LDAP database.
Each user's LDAP account stores their password hash and has the objectClasses of posixAccount and shadowAccount (among other values and settings).
Only system accounts have local entries in /etc/password and /etc/shadow. User accounts are all on LDAP (and only there). All users in LDAP have userPassword entries.
What might cause this or how can I run down the cause of it? Why doesn't getent shadow return password hashes for all LDAP users?