This configuration parameter specifies one or more users that the Centrify NSS module will ignore for lookup in Active Directory. Because this parameter allows you to intentionally skip looking up specific accounts in Active Directory, it allows faster lookup for system accounts such as tty, root, and bin.

Note:   This configuration parameter only ignores the listed users for NSS lookups. To ignore users for authentication and NSS lookups, use the pam.ignore.users configuration parameter.

In most cases, this configuration parameter’s value is generated automatically by group policy.

If you select the Specify user names to ignore policy and click Enabled, you can type the list of local user names not stored in Active Directory. This list is then stored in the
/etc/centrifydc/user.ignore file and used to automatically generate the /etc/centrifydc/uid.ignore file. These files are then used to disable looking up account information in Active Directory for the users specified, which results in faster name lookup service for system user accounts such as tty and disk.

You can, however, set it manually in the configuration file if you are not using group policy or want to temporarily override group policy.

If you are manually setting this parameter, the parameter value should be one or more user names, separated by a space, or the file: keyword and a file location. For example:

nss.user.ignore: root sys tty

A default set of users to ignore are defined in sample /etc/centrifydc/user.ignore and /etc/centrifydc/uid.ignore files. If you are not using group policies, you can uncomment the nss.user.ignore parameter in the /etc/centrifydc/centrifydc.conf file to ignore the default set of users.

Note:   If you plan to edit the user.ignore file, be sure to run the adreload command after modifying the file to have the changes take effect.