How to hide a user from the local system if they are denied through Authentication Services (QAS).
I want the su - username to fail if the user is not allowed access even if from root.
First su is succeeding when the user should be denied.
This can be accomplished by setting the user-hide-if-denied vas.conf setting to true. To configure this option from the command line run the following:
From the vas.conf man page:
By default, all available users are visible from the standard getpw* and getgr* functions. Setting this option to true will cause nss_vas not to return users if they are denied access according the host access control rules. This virtually hides those users as if they are not available on the system. This option is off by default. If this option is changed, the groups cache must be flushed before denied users will be excluded from membership lists returned from getgr* calls. Note that this is a global option and will modify the behavior of nss_vas in all processes on the Unix host.
The following example shows what to set in /etc/opt/quest/vas/vas.conf file to hide users who are denied access from the getpw* family of functions.