PR #2503 made rpm always use local /etc/passwd and /etc/group for user+group information. This is fine and sane for distributions, but it's a different story for 3rd party software which may rely on centrally managed users or groups, for example to control who can run a given software. This need is not a surprise (see #2503 (comment)) but putting it away for a while made it easier to get the core user/group handling into place.

We now need to bring NSS-based user/group owned files back without compromising what has been achieved in the meanwhile:

• systemd-sysusers co-operates with nss, so we just need to make sure rpm behavior aligns with that
• for dependencies, we'll need to hook nss into dependency resolution for user/group requires
• nss per chroot configuration cannot be handled, so this needs to be made into an explicit choice by the user: either use host nss or the local-only files inside the chroot, otherwise error out

Nss-based dependencies are a specific case of #446, so maybe this will open up other interesting possibilities in that direction as well.