freeipa

Clone
Source Code
GIT

#3939 [RFE]: let "default_shell" defined in server's sssd.conf be obeyed on clients
Closed: duplicate 5 years ago Opened 10 years ago by ttorcz.

Closed: duplicate
Reopen Issue

There are two similar overrides: "fallback_homedir" and "default_shell", useful for users withouth ~ and shell defined. If entered in servers sssd.conf:
1. homedir settings takes effect on both server and client
2. shell settings works only on server

This is because:

164651 <jhrozek> zdzichuBG: for AD users you need to define the overrides even on the clients
164716 <jhrozek> zdzichuBG: the extended operation only retunrs name, uid and gid to the client
164744 <jhrozek> zdzichuBG: maybe open a RFE against freeipa server, since we now have the special server mode it should be possible to honor the overrides on the server as well

This is related to SSSD ticket https://fedorahosted.org/sssd/ticket/2041 .

Jakub, is this still valid request with ​https://fedorahosted.org/sssd/ticket/2041 closed?

I am also thinking this request is slightly related: https://fedorahosted.org/sssd/ticket/2474

Replying to [comment:7 mkosek]:

Jakub, is this still valid request with ​https://fedorahosted.org/sssd/ticket/2041 closed?

Yes, it is still a valid request.

I am also thinking this request is slightly related: https://fedorahosted.org/sssd/ticket/2474

Yes. With the current code, we added the possibility to transfer custom attributes from server to client. But previously, the homedir was always set by the subdomain homedir unconditionally -- so we didn't want to break the homedir value during an upgrade.

What we should do is to add a new special value for subdomain_homedir valid in the server mode that would say something like "use the value set set with the server's POSIX attributes". This needs to be an opt-in feature at least for upgrades (it's probably OK to set it for new installs) since we really don't want to change the user homedir after an upgrade..

Short discussion we had with abbra and jhrozek:

  • mkosek: Does it mean we close the homedir claim as WONTFIX?
  • abbra: No, we still need to make sure there is a way to do templated setting. Right now ID overrides are personal while for homedir and shell it would be good to have some templating added so that you don't need to override every single user to get them right.
  • mkosek: Hmm, so Global Trust View could not be updated to help?
  • abbra: We don't have something like 'for all users from domain foo.bar apply these values'. We can trivially make support for that in IPA CLI but SSSD needs to understand it: "# ipa idoverrideuser-add 'default trust view' 'FOO.BAR' '--homedir=/home/{sn}.{givenname}'". But SSSD in IPA server mode needs to pick-up and entry with dn=:SID:<sid of FOO.BAR domain> and make templated replacements based on attributes of the AD entry
  • mkosek: But wouldn't an ID View based solution be better manageable than having to update sssd.conf on all IdM controllers? I.e. go with your proposal?
  • jhrozek: We need to fix SSSD either way, because at the moment sssd always uses subdomain_homedir value which is always defined.
  • abbra: Yep. And I'm fine with my proposal, obviously. :-)

Moving to 4.4 for now, abbra's proposal can be a separate RFE.

Metadata Update from @ttorcz:
- Issue assigned to someone
- Issue set to the milestone: FreeIPA 4.5 backlog
7 years ago

Closing as duplicate of https://pagure.io/freeipa/issue/5896

Metadata Update from @rcritten:
- Issue close_status updated to: duplicate
- Issue status updated to: Closed (was: Open)
5 years ago

Login to comment on this ticket.

Metadata
None
None
None
normal
None
None
None
None
enhancement
None
None
IPA
None
0
None
None
None
None
todo
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.