pam.allow.override

This configuration parameter is used to override authentication through Active Directory to ensure the root user or another local account has permission to log on when authentication through Active Directory is not possible, when there are problems running the adclient process, or when there are network communication issues.

When you specify a user account for this parameter, authentication is passed on to a legacy authentication mechanism, such as /etc/passwd. You can use this parameter to specify an account that you want to ensure always has access, even if communication with Active Directory or the adclient process fails. For example, to ensure the local root user always has access to a system even in an environment where you have enabled root mapping, you can specify:

pam.allow.override: root

To log in locally with the override account, you must specify the local user name and password. However, because the account is mapped to an Active Directory account, you must append @localhost to the user name. For example, if you have specified root as the override account and are using root mapping, you would type root@localhost when prompted for the user name. You can then type the local password for the root account and log in without being authenticated through Active Directory.

Note:   If you are mapping the root user to an Active Directory account and password, you should set this parameter to root or to a local user account with root-level permissions (UID 0), so that you always have at least one local account with permission to access system files and perform privileged tasks on the computer even if there are problems with the network connection, Active Directory, or the adclient process.

Note:   If you are using a Solaris machine with the Name Switch Cache Daemon (NSCD) running, you will not be able to log in as an override user using <username>@localhost. (Ref: CS-29816c)

In most cases, you set this configuration parameter using group policy. You can, however, set it manually in the configuration file if you are not using group policy or want to temporarily override group policy.

Note:   The pam.allow.override configuration parameter is not supported on AIX computers. This is because using the user name with the suffix @localhost is not supported on AIX. The LAMGetEntry call that is used to get user information and extended attribute information does not support login name changes. So, the login fails as there is no way to find the user or authenticate the user. There is no equivalent setting for AIX computers. (Ref: CS-33506a )