This configuration parameter allows you to override group profile entries for zone groups. Using this parameter is similar to defining override filters for local groups in the /etc/group file. By defining override filters, you can use this parameter to give you fine-grain control over the groups that can access a local computer. You can also use the override controls to modify the information for specific fields in each group entry on the local computer. For example, you can override the group ID or member list for a specific group on the local computer without modifying the group entry itself.
In most cases, you set this configuration parameter using group policy. The entries created by group policy are then stored in the /etc/centrifydc/group.ovr file and used to filter group access to a local computer.You can, however, set this parameter manually in the configuration file if you are not using group policy or want to temporarily override group policy.
The syntax for overriding group entries is similar to the syntax used for overriding NIS. You use + and – entries to allow or deny access for specific groups on the local system. Additional fields correspond to the standard /etc/group fields separated by colons (:).
In most cases, the nss.group.override parameter is used to identify a file location of an override file that contains all of group override entries you want to use on the local computer. For example:
Within the override file, you use the following format:
+users:::: +admins::::jdoe,bsmith,frank +ftpusers:ftp::300: -webusers +::::
Note: Changes to the group password field are ignored.
For more information about overriding group entries, see the sample group override file /etc/centrifydc/group.ovr.
Note: If you make changes to this parameter or the override file, you should run adflush to clear the cache to ensure your changes take effect.