[Freeipa-users] [freeipa-users] How to manage Linux attributes for AD users (e.g. how do I set a shell for an AD User)
Jakub Hrozek
jhrozek at redhat.com
Fri Feb 5 08:41:21 UTC 2016
On Thu, Feb 04, 2016 at 01:57:20PM -0600, Jon wrote:
> Hi Josh,
>
> I think that's exactly the problem though, how does one set POSIX
> attributes in AD from Linux guests?
>
> The RedHat documentation has a big warning that the Microsoft IDMU has been
> deprecated.
IIRC the UI is, the schema is not.
>
> >>
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/ex.sssd-ad-posix.html
>
> Surely you're not suggesting manually editing the AD Schema...?
>
> Also, another use case is ssh keys. I'm not even sure that IDMU has an
> option for "authorized_keys" (and FreeIPA doesn't seem to honor what's in
> .ssh/authorized keys... when that file exists I always get prompted for a
> password then access denied).
For per-AD-user ssh pubkeys, you can use the idviews feature:
ipa idoverrideuser-add --sshpubkey=STR
see:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/id-views.html
same for shells, although as Josh said, shells can be set globally for
all users in sssd.conf
>
> I'm sure there are other per-user level attributes that are required, home
> directory perhaps?, but the two big ones are shell and ssh keys. I can't
> be the only one who has a use case for managing these attributes for Active
> Directory users.
>
> Thanks,
> Jon A
>
> On Thu, Feb 4, 2016 at 1:30 PM, Baird, Josh <jbaird at follett.com> wrote:
>
> > For AD users, I believe you have two options.
> >
> >
> >
> > 1) Set the POSIX value on the user in AD for the shell
> >
> > 2) Set the following in your client's sssd.conf:
> >
> >
> >
> > [nss]
> >
> > override_shell = /bin/bash
> >
> >
> >
> > This would obviously be global per IPA client.
> >
> >
> >
> > Josh
> >
> >
> >
> > *From:* freeipa-users-bounces at redhat.com [mailto:
> > freeipa-users-bounces at redhat.com] *On Behalf Of *Jon
> > *Sent:* Thursday, February 04, 2016 2:25 PM
> > *To:* freeipa-users at redhat.com
> > *Subject:* [Freeipa-users] [freeipa-users] How to manage Linux attributes
> > for AD users (e.g. how do I set a shell for an AD User)
> >
> >
> >
> > Hello,
> >
> >
> >
> > How does one manage linux attributes for AD users. Primarily in my case,
> > I'm looking to change the default shell to either Bash or KSH depending on
> > the user.
> >
> >
> >
> > I can create a .profile that either sources bash or ksh rcs... e.g.:
> >
> >
> >
> > >> $ cat ~/.profile
> >
> > >> bash ./.bashrc
> >
> >
> >
> > This is really less than ideal and just seems like the wrong way to do it,
> > especially considering we have a tool like FreeIPA.
> >
> >
> >
> > According to Microsoft
> > <http://blogs.technet.com/b/activedirectoryua/archive/2015/01/25/identity-management-for-unix-idmu-is-deprecated-in-windows-server.aspx>,
> > they are no longer supporting Identity Management for Unix. Does FreeIPA
> > honor the attributes set by IDMU? Even if it's deprecated, I suppose we
> > could continue to use it...
> >
> > This previous FreeIPA thread
> > <https://www.redhat.com/archives/freeipa-users/2013-April/msg00007.html> seems
> > to indicate you can force the shell for anyone in the domain logging into
> > that machine, but we have some users who prefer one shell over the other.
> >
> >
> >
> > I did what I believe to be standard, I created a security group in AD,
> > added that group to a group an external group in FreeIPA, then made an
> > internal group and added the external group as a member to the internal
> > group. Unfortunately, this doesn't seem to expose any of the AD attributes
> > for management. Or maybe I'm just misunderstanding...
> >
> >
> >
> > Any thoughts? How are you managing individual AD user settings?
> >
> >
> >
> > Thanks,
> >
> > Jon A
> >
> >
> >
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
More information about the Freeipa-users
mailing list