nss.passwd.override

This configuration parameter allows you to override user profile entries for zone users. Using this parameter is similar to defining override filters for local users in the /etc/passwd file. By defining override filters, you can use this parameter to give you fine-grain control over the user accounts that can access a local computer. You can also use the override controls to modify the information for specific fields in each /etc/passwd entry on the local computer. For example, you can override the user ID, primary group ID, default shell, or home directory for specific login accounts on the local computer without modifying the account entry itself.

This function only works with AD users/groups. It does not work with or manage local users/groups.

In most cases, you set this configuration parameter usinggroup policy. The entries created by group policy are then stored in the /etc/centrifydc/passwd.ovr file and used to filter user access to a local computer.You can, however, set this parameter manually in the configuration file if you are not using group policy or want to temporarily override group policy.

The syntax for overriding passwd entries is similar to the syntax used for overriding NIS. You use + and – entries to allow or deny access for specific users on the local system. Additional fields correspond to the standard /etc/passwd fields separated by colons (:).

In most cases, the nss.passwd.override parameter is used to identify a file location of an override file that contains all of passwd override entries you want to use on the local computer. For example:

nss.group.override: file:/etc/centrifydc/passwd.ovr

Although the passwd.ovr file is generated from the list of override entries you specify using group policy, you can also manually create or update the override file on any local computer, if needed. A sample illustrating the syntax is provided in the /etc/centrifydc/passwd.ovr.sample file.

Within the override file, you use the following format for entries:

+zone_username:username:password:uid:gid:GECOS:home_directory:shell

For example:

+mike:::::::/usr/local/ultrabash
+kris:kdavis:x:6:6:Kris Davis:/home/kdavis:/bin/bash
+janedoe@acme.test:jdoe::300:300:::
+@sysadmins:::::::
-ftp
+@staff:::::::
+@rejected-users:::32767:32767:::/bin/false
+:::::::/sbin/nologin
+:::::::

Overriding the password hash field is ignored. Changing this field in the override file does not affect zone user passwords. In overriding passwd entries, users accounts must be enabled for UNIX in the zone, but the groups do not need to be UNIX-enabled.

In the example above, the @ symbol denotes an Active Directory name. It may be an Active Directory group name, a zone name, or some other container name. You may also specify an Active Directory user principal name instead of the zone name.

Entries in the override file are evaluated in order from first to last with the first match taking precedence. This means the system will only use the first entry that matches a particular user. For example, if the user cruz is a member of both the staff group and the rejected-users group and you have defined the override entries as listed in the example above, the cruz user account is allowed to log on to the computer because the staff entry is evaluated and matched before the rejected-users entry. If the order were reversed in the override file, the cruz account would be flagged as a rejected-users account and denied access.

If you manually create the passwd.ovr file, you must include the following as the last line in the file:

+:::::::

For more information about overriding group entries, see the sample passwd override file /etc/centrifydc/passwd.ovr. For information about using the NSS Overrides group policy to generate and maintain the passwd.ovr file, see the Access Manager online help.

If you make changes to this parameter or the override file, you should run adflush to clear the cache to ensure your changes take effect.