Went for option 1. Works fine after I noticed the crucial difference
between 'override_shell' and 'default_shell'. Thanks.
--
Mike Renfro / R&D Engineer, Center for Manufacturing Research,
931 372-3601 / Tennessee Technological University
On 7/18/16, 3:33 AM, "Jakub Hrozek" <jhrozek(a)redhat.com> wrote:
On Mon, Jul 18, 2016 at 05:46:07AM +0000, Renfro, Michael wrote:
> I've previously only used sssd in a much simpler situation, on a
> single-domain AD forest with no additional complications. Now, I'm
>trying
> to make it work with the following:
>
> 1. Forest (
vvu.edu) with two domains (
vvu.edu, the root domain) and
>
vae.vvu.edu (child domain), with the default two-way trust between the
> domains. For reasons of Windows system management and user experience, I
> can't easily break the domain trust or put all users in the root domain.
>
> 2. Linux system with sssd, preferably Debian or Ubuntu, tied to the
>child
> domain. CentOS and RHEL may be a possibility later. I assume any working
> version number of sssd will work identically on any platform.
>
> 3. As far as the Linux system is concerned, all user accounts in the
>root
> domain are normal, unprivileged end-user accounts. These should get a
> shell of /usr/bin/rssh.
>
> 4. The only user accounts in the child domain are for system
> administrators. Accounts in the AD group 'server-admins' should get a
> shell of /bin/bash.
>
> I got hints from both
>
>https://fedorahosted.org/sssd/wiki/DesignDocs/ActiveDirectoryAccessContro
>l
> and
http://serverfault.com/a/577885 , but I'm stuck without a complete
> solution.
So the tl;dr is that you want different shells for different accounts?
I can think of severak ways to accomplish this:
1) use sss_override and locally set the shell for those accounts.
See
https://jhrozek.wordpress.com/2016/02/15/sssd-local-overrides/
But this requires a newer sssd and also would require to set the
shell per-account on all systems.
2) use IPA and ID-views. I'm not sure this is an option for you, but
I thought I'd bring it up for completeness.
3) put the shell into the POSIX attribute set on the server side.
But please note that the choice of ID-mapping or POSIX attributes is
all-or-nothing, so you can't have ID-mapped UIDs and shell read from
the server.
3) Create separate SSSD domains in your config and set the
override_shell parameter locally. This is what you did, but I think
the difference is that the trusted domain is auto-discovered, so the
settings from the 'parent' domain apply. Can you try with
subdomain_provider=none and manually setting the
ldap_idmap_default_domain_sid (should not be required with 1.14.1..)
?
A simpler test might be to only define the 'trusted' domain section
with the correct shell override, clear the caches and see if all
accounts get the 'trusted shell' then.
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.o
rg