Welcome back!
When you say "a local version" do you mean that there are two directory sources with the same account? E.g.
- "userX" exists in Active Directory
- "userX" also exists in /etc/passwd
If this is the case (please correct me in your reply), as you know, "ideally" you would follow the proper principles of Identity Management and have a user population (e.g. Employees, Contractors, Service Accounts) to have a single source. E.g. "service accounts are local and the password is managed by Centrify's vault; employees are sourced from AD only"
In the example above, because both NSS/PAM frameworks will find the account in AD first, then the local account will be ignored.
However, DirectControl is extemely flexible. You can "ignore" the AD account via parameter or GPO and leverage the local account. In addition, you could also potentially use the "switch user" or su facility.
To ignore an account, leverage the ignore capabilities (see info here) either at the NS or PAM levels either temporarily or permanently. You can control this centrally via GPOs.
Your suggestion of "temporarily pause/disable the Centrify service so authentication is local and not against AD"
is not a good idea and the reasons should be clear.
R.P
R.P