You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Would love to see a way to set custom user shells without requiring the Posix attributes in AD. Currently when using id_provider=ad, auth_provider=ad, ldap_schema=ad, etc. we don't have to set posix attributes for groups as it uses the Windows groups, memberships and SIDs. It also uses the Windows SID for the users.
We are able to use "default_shell" to set a common shell [ie /bin/bash] without having posix attributes set in the user account, but when we have users who want to use a different shell [ie /bin/ksh or /bin/tcsh], we have to configure the posix attributes for that user.
It would be great if there was a way with sssd to specify an alternate shell for specific users [or group maybe?] without having to set posix attributes for those users.
We had patches in the form of a sss_shell utility some time ago, but I remember simo was firmly against the idea a user could choose his own shell in a centralized environment, hence all the fallback and allow options we have now..
Note that the number of available shells in a system is limited by those explicitly allowed in /etc/shells (/bin/sh+/usr/bin/sh are AFAIK always allowed), so there is no way to "invade" a system with a "random shell" setting via a NIS/LDAP attack vector.
That's exactly why /etc/shells was invented in the first place...
It's not even about having the users choose their own shell. Even if it were a root-configureable setting would be sufficient.
_comment0: It's not even about having the uses choose their own shell. Even if it were a root-configureable setting would be sufficient. => 1415374384468276
Cloned from Pagure issue: https://pagure.io/SSSD/sssd/issue/2466
Would love to see a way to set custom user shells without requiring the Posix attributes in AD. Currently when using id_provider=ad, auth_provider=ad, ldap_schema=ad, etc. we don't have to set posix attributes for groups as it uses the Windows groups, memberships and SIDs. It also uses the Windows SID for the users.
We are able to use "default_shell" to set a common shell [ie /bin/bash] without having posix attributes set in the user account, but when we have users who want to use a different shell [ie /bin/ksh or /bin/tcsh], we have to configure the posix attributes for that user.
It would be great if there was a way with sssd to specify an alternate shell for specific users [or group maybe?] without having to set posix attributes for those users.
Comments
Comment from sgallagh at 2014-10-17 18:38:08
This could be solved by adding a shell override on individual cache entries and making this user-editable via the InfoPipe.
Comment from jhrozek at 2014-10-22 23:23:36
We had patches in the form of a sss_shell utility some time ago, but I remember simo was firmly against the idea a user could choose his own shell in a centralized environment, hence all the fallback and allow options we have now..
Simo, is it still the case?
cc: => simo@redhat.com
Comment from gisburn at 2014-10-23 15:17:46
Note that the number of available shells in a system is limited by those explicitly allowed in /etc/shells (/bin/sh+/usr/bin/sh are AFAIK always allowed), so there is no way to "invade" a system with a "random shell" setting via a NIS/LDAP attack vector.
That's exactly why /etc/shells was invented in the first place...
cc: simo@redhat.com => simo@redhat.com, rmainz@redhat.com
Comment from jhrozek at 2014-11-07 15:18:05
The way Simo proposed to fix this is something similar to IPA views, except local in sssd.ldb.
milestone: NEEDS_TRIAGE => SSSD 1.14 beta
Comment from doubletwist at 2014-11-07 16:32:53
It's not even about having the users choose their own shell. Even if it were a root-configureable setting would be sufficient.
_comment0: It's not even about having the uses choose their own shell. Even if it were a root-configureable setting would be sufficient. => 1415374384468276
Comment from jhrozek at 2014-11-19 18:49:00
Fields changed
rhbz: => todo
Comment from jhrozek at 2016-02-16 14:42:05
This is exactly what the sss_override tool does: https://jhrozek.wordpress.com/2016/02/15/sssd-local-overrides/
resolution: => fixed
sensitive: => 0
status: new => closed
Comment from jhrozek at 2016-09-11 22:11:33
Fields changed
rhbz: todo => 0
Comment from doubletwist at 2017-02-24 14:56:12
Metadata Update from @doubletwist:
The text was updated successfully, but these errors were encountered: