[Freeipa-users] [freeipa-users] How to manage Linux attributes for AD users (e.g. how do I set a shell for an AD User)

Fri Feb 5 08:41:21 UTC 2016

On Thu, Feb 04, 2016 at 01:57:20PM -0600, Jon wrote:
> Hi Josh,
> 
> I think that's exactly the problem though, how does one set POSIX
> attributes in AD from Linux guests?
> 
> The RedHat documentation has a big warning that the Microsoft IDMU has been
> deprecated.

IIRC the UI is, the schema is not.

> 
> >>
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/ex.sssd-ad-posix.html
> 
> Surely you're not suggesting manually editing the AD Schema...?
> 
> Also, another use case is ssh keys.  I'm not even sure that IDMU has an
> option for "authorized_keys"  (and FreeIPA doesn't seem to honor what's in
> .ssh/authorized keys...  when that file exists I always get prompted for a
> password then access denied).

For per-AD-user ssh pubkeys, you can use the idviews feature:
    ipa idoverrideuser-add --sshpubkey=STR
see:
    https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/id-views.html
same for shells, although as Josh said, shells can be set globally for
all users in sssd.conf

> 
> I'm sure there are other per-user level attributes that are required, home
> directory perhaps?, but the two big ones are shell and ssh keys.  I can't
> be the only one who has a use case for managing these attributes for Active
> Directory users.
> 
> Thanks,
> Jon A
> 
> On Thu, Feb 4, 2016 at 1:30 PM, Baird, Josh <jbaird at follett.com> wrote:
> 
> > For AD users, I believe you have two options.
> >
> >
> >
> > 1) Set the POSIX value on the user in AD for the shell
> >
> > 2) Set the following in your client's sssd.conf:
> >
> >
> >
> > [nss]
> >
> > override_shell = /bin/bash
> >
> >
> >
> > This would obviously be global per IPA client.
> >
> >
> >
> > Josh
> >
> >
> >
> > *From:* freeipa-users-bounces at redhat.com [mailto:
> > freeipa-users-bounces at redhat.com] *On Behalf Of *Jon
> > *Sent:* Thursday, February 04, 2016 2:25 PM
> > *To:* freeipa-users at redhat.com
> > *Subject:* [Freeipa-users] [freeipa-users] How to manage Linux attributes
> > for AD users (e.g. how do I set a shell for an AD User)
> >
> >
> >
> > Hello,
> >
> >
> >
> > How does one manage linux attributes for AD users.  Primarily in my case,
> > I'm looking to change the default shell to either Bash or KSH depending on
> > the user.
> >
> >
> >
> > I can create a .profile that either sources bash or ksh rcs... e.g.:
> >
> >
> >
> > >> $ cat ~/.profile
> >
> > >> bash ./.bashrc
> >
> >
> >
> > This is really less than ideal and just seems like the wrong way to do it,
> > especially considering we have a tool like FreeIPA.
> >
> >
> >
> > According to Microsoft
> > <http://blogs.technet.com/b/activedirectoryua/archive/2015/01/25/identity-management-for-unix-idmu-is-deprecated-in-windows-server.aspx>,
> > they are no longer supporting Identity Management for Unix.  Does FreeIPA
> > honor the attributes set by IDMU?  Even if it's deprecated, I suppose we
> > could continue to use it...
> >
> > This previous FreeIPA thread
> > <https://www.redhat.com/archives/freeipa-users/2013-April/msg00007.html> seems
> > to indicate you can force the shell for anyone in the domain logging into
> > that machine, but we have some users who prefer one shell over the other.
> >
> >
> >
> > I did what I believe to be standard, I created a security group in AD,
> > added that group to a group an external group in FreeIPA, then made an
> > internal group and added the external group as a member to the internal
> > group.  Unfortunately, this doesn't seem to expose any of the AD attributes
> > for management.  Or maybe I'm just misunderstanding...
> >
> >
> >
> > Any thoughts?  How are you managing individual AD user settings?
> >
> >
> >
> > Thanks,
> >
> > Jon A
> >
> >
> >

> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project