On Thu, 02 Oct 2014 14:24:55 +0200
Pavel Reichl <preichl(a)redhat.com> wrote:
Hello,
We have a user whose use-case seems quite legit to me but is
impossible to be achieved without changing the code.
(
https://fedorahosted.org/sssd/ticket/2219)
What user wants: in case that user's shell is not in /etc/shells he
simply wants to use value of 'shell_fallback' option as user's shell.
This can be achieved if the user's shell is in 'allowed_shells'
option, but to maintain this option to enumerate all possible shells
is not very convenient when you got huge heterogeneous network for
different projects with different administrators.
Instead the user proposed a patch adding special value '*' to
'allowed_shells' which would mean that any user's shell is a member
of 'allowed_shells'.
I believe that the patch will work, but the solution will IMO
complicate the shell magic even more.
Could we change the code so in case when user's shell is not in
/etc/shells and 'allowed_shells' is empty to use 'shell_fallback'? Or
do you find the '*' as a better option?
No we cannot change the code that way because a) there is no way to
pass an empty value in the db and we thoroughly document in
sssd.conf(5) should we find a way to pass an "empty shell":
3. If the shell is not in the allowed_shells list and not in
“/etc/shells”, a nologin shell is used.
A '*' could be used seem the only option to implement your idea.
Another option would be to say:
If you define shell_fallback and allowed_shells includes it then
instead of returning nologin shell we return the fallback.
Not sure if this would be clearer or more complicated for us to
describe and for an admin to grok, probably adding '*' handling would
be safer.
Simo.
--
Simo Sorce * Red Hat, Inc * New York