The results from "getent group" may be truncated when using nss_db. This will happen when getgrent() encounters a group entry long enough to overflow the default 1024 byte buffer. getgrent() sets errno to ERANGE and returns NULL, but getent fails to check errno, and truncates the results at this point. Two things make me suspect that this failure is avoidable: 1. Requesting a specific long group entry will return it in full, e.g.: getent group myverylonggroup 2. Our local configuration in /etc/nsswitch.conf looks like this: group: files db Long entries in group.db will cause output from "getent group" to be truncated as described, but if I add a long entry to /etc/group, it will be output in full, along with all subsequent entries in group.db. It appears that that nss_files will grow the buffer as required, and then the expanded buffer is used by nss_db.
As groups can be used to deny privileges (see DenyGroups in OpenSSH), this is a potential minor security issue.