Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-4803: What is the impact of placing files before centrifyda in /etc/nsswitch.conf

Centrify DirectAudit ,  

26 December,14 at 10:09 PM

Question:
What is the impact of placing files
 before centrifyda in  /etc/nsswitch.conf?

Answer:
If you place 'files' in front of 'centrifyda' in /etc/centrifyda/centrifyda.conf, all the NSS calls are satisfied by /etc/passwd first.

Local users will be matched by this module, and the user's shell will be whatever it is stored in /etc/passwd.

Since the DA NSS module is not invoked, there is no software module that inserts the DA shell in the passwd entry returned to the login process.

This means all local users WILL NOT be audited, regardless of what the customer sets in their configuration.

You can still use per-command auditing for all users (which includes both local and AD users).

AD users should not be impacted. They will be audited as specified in their audit level.

The dainfo command will report "NSS Active" only when centrifyda is the first entry in nsswitch.conf.

If the you modify the file to have "files" first , the dainfo command  will not return the correct status ( AD users are being audited).

 

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.