[Freeipa-users] Default shell for AD-domain accounts

Mon Jan 25 09:44:04 UTC 2016

Maybe the difference was that I used a fresh demo installation from
windows 2012r2 server.
I only added the ad-controller, dns and ntp functionality for testing.
(and all the patches...which literaly takes a day to complete on a
system with 4 cores and 4G ram)

I also found out that dnsseq is not default, so I disabled dnsseq
validation on the ipa server in the named.conf.
Because this already cost me a day's work debugging and not to mention
lack of knowledge on how to do this in ad.

Minor side note,
according to : https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/trust-requirements.html#dns-realm-settings
In the dns verification checks it tells you to verify the kerberos udp record
dig +short -t SRV _kerberos._udp.dc._msdcs.ad.example.com.
This yields no response

There is no udp record in the ad , but there is a tcp record.
dig +short -t SRV _kerberos._tcp.dc._msdcs.ad.example.com.
This gives a response

I also validated the trust on the AD side, I'm not sure this is needed.

After doing this I can issue the command : 'id AD.DOMAIN\\ADUSER' and
I get a response telling me the uid/gid/ad-id/ad-group etc.

Rob Verduijn

2016-01-25 9:24 GMT+01:00 Jakub Hrozek <jhrozek at redhat.com>:
> On Sun, Jan 24, 2016 at 08:03:09PM +0100, Rob Verduijn wrote:
>> Hi,
>>
>> Hmmmm microsoft removes the UI, but leaves the schema extension.
>> Does not really make sense, but after some googling this does seem to
>> be the case.
>>
>> Your comment made me check google with some different keywords and I
>> found that there was this irritation that was solved by somebody. (at
>> microsoft)
>>
>> http://blogs.technet.com/b/sfu/archive/2013/07/08/ldap-calls-made-from-the-unix-client-query-incorrect-login-shell.aspx
>>
>> That explains why modifying the loginShell attribute did not work.
>>
>> I put the 'ldap_user_shell=msSFU30LoginShell' in the
>> [domain/ipadomain] section from sssd.conf.
>> This is required I guess on all ipa-clients that AD-accounts get access to.
>
> Hmm, is this really required? The thing is that the IPA clients get
> their information through an extended operation and it's the SSSD on the
> IPA server that does the heavy lifting and just passes the info to the
> clients.
>
> I'll try to find some time later to test this..
>
>>
>> And now all users seem to get the /bin/bash that can be set in the
>> AD-user attribute loginShell
>>
>> ( glad to see the keep their camel case in sync everywhere in the AD )
>>
>> Thanks for thinking along on this one.
>> Rob Verduijn
>>
>> 2016-01-24 16:02 GMT+01:00 Jakub Hrozek <jhrozek at redhat.com>:
>> >
>> >> On 24 Jan 2016, at 12:00, Rob Verduijn <rob.verduijn at gmail.com> wrote:
>> >>
>> >> Hello,
>> >>
>> >> I'm trying to get an ipa server to trust a microsoft AD-domain.
>> >>
>> >> So far I've managed to get the trust to work and I can login with an
>> >> active directory user on the ipa clients.
>> >>
>> >> Now I see the default shell is set to /bin/sh.
>> >> Since the preffered shel is bash for me I wish to change this.
>> >> It doesn't help to set this in the ipa server config since these
>> >> accounts are external ms accounts.
>> >>
>> >> In the goog old days we used to have posix attributes schemas in the
>> >> AD one of them being the shell.
>> >>
>> >> Sadly this is a thing of the past.
>> >                           ~~~~~~~~~~~~
>> >
>> > Are you referring to IMU being deprecated? IIRC the attributes should work..even though MS is deprecating the UI..
>> >
>> > Alternatively, since the clients read the ID info via the server, overrinding the shell in IPA server's sssd.conf should work as well.
>> >
>> >> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/ex.sssd-ad-posix.html
>> >>
>> >> How do I define a new default shell for all ms-AD accounts in ipa ?
>> >>
>> >> Cheers
>> >> Rob Verduijn
>> >>
>> >> --
>> >> Manage your subscription for the Freeipa-users mailing list:
>> >> https://www.redhat.com/mailman/listinfo/freeipa-users
>> >> Go to http://freeipa.org for more info on the project
>> >