On Thu, Feb 20, 2014 at 08:37:23PM +0000, John P Arends wrote:
I’m new to SSSD in general. I configured a RHEL 6.5 machines to
authenticate against a 2008 R2 AD using ldap_id_mapping because our AD does not have unix
information defined for users. All appears to be working well. I had to add
override_homedir = /home/%u to get home directories to to be created by oddjob mkhomedir.
The only problem is the group ownership on the home directory is “domain users” rather
than the user’s private group. The default permissions also allow domain users
read/execute access to the home directory.
It looks like you can change the umask used in /etc/pam.d/system-auth-ac, but I don’t see
where I can control the group information. Any suggestions on best practices on how to fix
this? I was surprised it wasn’t in the docs.
-John
Hi John,
the defaults for oddjob are known to be wrong:
https://bugzilla.redhat.com/show_bug.cgi?id=995097
However, you can set a more sensible default in
/etc/oddjobd.conf.d/oddjobd-mkhomedir.conf