This is a feature request more than a bug. It appears that /etc/nsswitch.conf
generally allows one to specify which sources of user information shadow others,
but this doesn't really work for group information. That is, if I say "passwd:
files winbind", user 'foo' in files completely shadows any user 'foo' in
winbind, as far as passwd information goes.
But, if I say "group: files winbind", it appears that both files and winbind are
used to determine the set of secondary groups for a user.
What I would like is a way to say that if a user is found in the first source
(files) that *only* that source will be used for group information, and that
nothing will come from the later source (winbind in this example).
By secondary groups I assume you mean the groups handled by initgroups and getgrouplist.
I agree that something better is warranted. Some time ago I added already an initgroups entry to nsswitch.conf. Now I also added code to not proceed to the next service in case of a successful lookup in case the initgroups entry is used. If the nsswitch.conf file only contains an groups entry the behavior doesn't change. The result is in git.