Learn more about these different git repos.
Other Git URLs
Would love to see a way to set custom user shells without requiring the Posix attributes in AD. Currently when using id_provider=ad, auth_provider=ad, ldap_schema=ad, etc. we don't have to set posix attributes for groups as it uses the Windows groups, memberships and SIDs. It also uses the Windows SID for the users.
We are able to use "default_shell" to set a common shell [ie /bin/bash] without having posix attributes set in the user account, but when we have users who want to use a different shell [ie /bin/ksh or /bin/tcsh], we have to configure the posix attributes for that user.
It would be great if there was a way with sssd to specify an alternate shell for specific users [or group maybe?] without having to set posix attributes for those users.
This could be solved by adding a shell override on individual cache entries and making this user-editable via the InfoPipe.
We had patches in the form of a sss_shell utility some time ago, but I remember simo was firmly against the idea a user could choose his own shell in a centralized environment, hence all the fallback and allow options we have now..
Simo, is it still the case?
cc: => simo@redhat.com
Note that the number of available shells in a system is limited by those explicitly allowed in /etc/shells (/bin/sh+/usr/bin/sh are AFAIK always allowed), so there is no way to "invade" a system with a "random shell" setting via a NIS/LDAP attack vector. That's exactly why /etc/shells was invented in the first place...
cc: simo@redhat.com => simo@redhat.com, rmainz@redhat.com
The way Simo proposed to fix this is something similar to IPA views, except local in sssd.ldb.
milestone: NEEDS_TRIAGE => SSSD 1.14 beta
It's not even about having the users choose their own shell. Even if it were a root-configureable setting would be sufficient.
_comment0: It's not even about having the uses choose their own shell. Even if it were a root-configureable setting would be sufficient. => 1415374384468276
Fields changed
rhbz: => todo
This is exactly what the sss_override tool does: https://jhrozek.wordpress.com/2016/02/15/sssd-local-overrides/
resolution: => fixed sensitive: => 0 status: new => closed
rhbz: todo => 0
Metadata Update from @doubletwist: - Issue set to the milestone: SSSD 1.14 beta
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/3508
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.