Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[RFE] Method for setting custom shells without Unix Attributes in AD account #3508

Closed
sssd-bot opened this issue May 2, 2020 · 0 comments
Closed

[RFE] Method for setting custom shells without Unix Attributes in AD account #3508

sssd-bot opened this issue May 2, 2020 · 0 comments
Labels
Closed: Fixed Issue was closed as fixed.

Comments

@sssd-bot
Copy link

sssd-bot commented May 2, 2020

Cloned from Pagure issue: https://pagure.io/SSSD/sssd/issue/2466

  • Created at 2014-10-17 18:35:33 by doubletwist
  • Closed as Fixed
  • Assigned to nobody

Would love to see a way to set custom user shells without requiring the Posix attributes in AD. Currently when using id_provider=ad, auth_provider=ad, ldap_schema=ad, etc. we don't have to set posix attributes for groups as it uses the Windows groups, memberships and SIDs. It also uses the Windows SID for the users.

We are able to use "default_shell" to set a common shell [ie /bin/bash] without having posix attributes set in the user account, but when we have users who want to use a different shell [ie /bin/ksh or /bin/tcsh], we have to configure the posix attributes for that user.

It would be great if there was a way with sssd to specify an alternate shell for specific users [or group maybe?] without having to set posix attributes for those users.

Comments

Comment from sgallagh at 2014-10-17 18:38:08

This could be solved by adding a shell override on individual cache entries and making this user-editable via the InfoPipe.

Comment from jhrozek at 2014-10-22 23:23:36

We had patches in the form of a sss_shell utility some time ago, but I remember simo was firmly against the idea a user could choose his own shell in a centralized environment, hence all the fallback and allow options we have now..

Simo, is it still the case?

cc: => simo@redhat.com

Comment from gisburn at 2014-10-23 15:17:46

Note that the number of available shells in a system is limited by those explicitly allowed in /etc/shells (/bin/sh+/usr/bin/sh are AFAIK always allowed), so there is no way to "invade" a system with a "random shell" setting via a NIS/LDAP attack vector.
That's exactly why /etc/shells was invented in the first place...

cc: simo@redhat.com => simo@redhat.com, rmainz@redhat.com

Comment from jhrozek at 2014-11-07 15:18:05

The way Simo proposed to fix this is something similar to IPA views, except local in sssd.ldb.

milestone: NEEDS_TRIAGE => SSSD 1.14 beta

Comment from doubletwist at 2014-11-07 16:32:53

It's not even about having the users choose their own shell. Even if it were a root-configureable setting would be sufficient.

_comment0: It's not even about having the uses choose their own shell. Even if it were a root-configureable setting would be sufficient. => 1415374384468276

Comment from jhrozek at 2014-11-19 18:49:00

Fields changed

rhbz: => todo

Comment from jhrozek at 2016-02-16 14:42:05

This is exactly what the sss_override tool does: https://jhrozek.wordpress.com/2016/02/15/sssd-local-overrides/

resolution: => fixed
sensitive: => 0
status: new => closed

Comment from jhrozek at 2016-09-11 22:11:33

Fields changed

rhbz: todo => 0

Comment from doubletwist at 2017-02-24 14:56:12

Metadata Update from @doubletwist:

  • Issue set to the milestone: SSSD 1.14 beta
@sssd-bot sssd-bot added the Closed: Fixed Issue was closed as fixed. label May 2, 2020
@sssd-bot sssd-bot closed this as completed May 2, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Closed: Fixed Issue was closed as fixed.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sssd-bot