[Freeipa-users] Default shell for AD-domain accounts

Rob Verduijn rob.verduijn at gmail.com
Sun Jan 24 19:03:09 UTC 2016 

Hi,

Hmmmm microsoft removes the UI, but leaves the schema extension.
Does not really make sense, but after some googling this does seem to
be the case.

Your comment made me check google with some different keywords and I
found that there was this irritation that was solved by somebody. (at
microsoft)

http://blogs.technet.com/b/sfu/archive/2013/07/08/ldap-calls-made-from-the-unix-client-query-incorrect-login-shell.aspx

That explains why modifying the loginShell attribute did not work.

I put the 'ldap_user_shell=msSFU30LoginShell' in the
[domain/ipadomain] section from sssd.conf.
This is required I guess on all ipa-clients that AD-accounts get access to.

And now all users seem to get the /bin/bash that can be set in the
AD-user attribute loginShell

( glad to see the keep their camel case in sync everywhere in the AD )

Thanks for thinking along on this one.
Rob Verduijn

2016-01-24 16:02 GMT+01:00 Jakub Hrozek <jhrozek at redhat.com>:
>
>> On 24 Jan 2016, at 12:00, Rob Verduijn <rob.verduijn at gmail.com> wrote:
>>
>> Hello,
>>
>> I'm trying to get an ipa server to trust a microsoft AD-domain.
>>
>> So far I've managed to get the trust to work and I can login with an
>> active directory user on the ipa clients.
>>
>> Now I see the default shell is set to /bin/sh.
>> Since the preffered shel is bash for me I wish to change this.
>> It doesn't help to set this in the ipa server config since these
>> accounts are external ms accounts.
>>
>> In the goog old days we used to have posix attributes schemas in the
>> AD one of them being the shell.
>>
>> Sadly this is a thing of the past.
>                           ~~~~~~~~~~~~
>
> Are you referring to IMU being deprecated? IIRC the attributes should work..even though MS is deprecating the UI..
>
> Alternatively, since the clients read the ID info via the server, overrinding the shell in IPA server's sssd.conf should work as well.
>
>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/ex.sssd-ad-posix.html
>>
>> How do I define a new default shell for all ms-AD accounts in ipa ?
>>
>> Cheers
>> Rob Verduijn
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>

More information about the Freeipa-users mailing list