In contrast to the documented behavior 'nss_wrapper is able to load nss modules and ask them first before looking into the faked passwd and group file.' the faked files are always checked first.
It would be good to have an additional environment variable like e.g.:
to be able to tune the behavior.