[Freeipa-users] [freeipa-users] How to manage Linux attributes for AD users (e.g. how do I set a shell for an AD User)

Thu Feb 4 19:57:20 UTC 2016

Hi Josh,

I think that's exactly the problem though, how does one set POSIX
attributes in AD from Linux guests?

The RedHat documentation has a big warning that the Microsoft IDMU has been
deprecated.

>>
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/ex.sssd-ad-posix.html

Surely you're not suggesting manually editing the AD Schema...?

Also, another use case is ssh keys.  I'm not even sure that IDMU has an
option for "authorized_keys"  (and FreeIPA doesn't seem to honor what's in
.ssh/authorized keys...  when that file exists I always get prompted for a
password then access denied).

I'm sure there are other per-user level attributes that are required, home
directory perhaps?, but the two big ones are shell and ssh keys.  I can't
be the only one who has a use case for managing these attributes for Active
Directory users.

Thanks,
Jon A

On Thu, Feb 4, 2016 at 1:30 PM, Baird, Josh <jbaird at follett.com> wrote:

> For AD users, I believe you have two options.
>
>
>
> 1) Set the POSIX value on the user in AD for the shell
>
> 2) Set the following in your client's sssd.conf:
>
>
>
> [nss]
>
> override_shell = /bin/bash
>
>
>
> This would obviously be global per IPA client.
>
>
>
> Josh
>
>
>
> *From:* freeipa-users-bounces at redhat.com [mailto:
> freeipa-users-bounces at redhat.com] *On Behalf Of *Jon
> *Sent:* Thursday, February 04, 2016 2:25 PM
> *To:* freeipa-users at redhat.com
> *Subject:* [Freeipa-users] [freeipa-users] How to manage Linux attributes
> for AD users (e.g. how do I set a shell for an AD User)
>
>
>
> Hello,
>
>
>
> How does one manage linux attributes for AD users.  Primarily in my case,
> I'm looking to change the default shell to either Bash or KSH depending on
> the user.
>
>
>
> I can create a .profile that either sources bash or ksh rcs... e.g.:
>
>
>
> >> $ cat ~/.profile
>
> >> bash ./.bashrc
>
>
>
> This is really less than ideal and just seems like the wrong way to do it,
> especially considering we have a tool like FreeIPA.
>
>
>
> According to Microsoft
> <http://blogs.technet.com/b/activedirectoryua/archive/2015/01/25/identity-management-for-unix-idmu-is-deprecated-in-windows-server.aspx>,
> they are no longer supporting Identity Management for Unix.  Does FreeIPA
> honor the attributes set by IDMU?  Even if it's deprecated, I suppose we
> could continue to use it...
>
> This previous FreeIPA thread
> <https://www.redhat.com/archives/freeipa-users/2013-April/msg00007.html> seems
> to indicate you can force the shell for anyone in the domain logging into
> that machine, but we have some users who prefer one shell over the other.
>
>
>
> I did what I believe to be standard, I created a security group in AD,
> added that group to a group an external group in FreeIPA, then made an
> internal group and added the external group as a member to the internal
> group.  Unfortunately, this doesn't seem to expose any of the AD attributes
> for management.  Or maybe I'm just misunderstanding...
>
>
>
> Any thoughts?  How are you managing individual AD user settings?
>
>
>
> Thanks,
>
> Jon A
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160204/6e5f948c/attachment.htm>