On 31 Aug 2018, at 17:34, Daniele Raffo dr01@fedoraproject.org wrote:
Hello,
I'm trying to define two sssd groups in order to assign a different login shell to AD users belonging to two different AD groups in our domain FOOBAR.GLOBAL. However, all users are unable to login and get an error "Authentication failed”.
Are you able to at least resolve the users? What exact name are you using to resolve the users, username@foobar_nologin.global or username@foobar.global? The former would work, the latter would not.
btw if all you want is to munge the shell based on group memberships, maybe the sss_override tool would help?
If I change a sssd section to [domain/FOOBAR.GLOBAL] so to reflect the existing AD domain, users defined in that sssd group are able to login. However, clearly in this way I cannot define more than one section. Why is that? How to define sssd sections with names different than the existing AD domain?
Thanks in advance. Below is my sssd.conf.
[sssd] domains = FOOBAR_ADMINS.GLOBAL,FOOBAR_NOLOGIN.GLOBAL config_file_version = 2 services = nss, pam
[domain/FOOBAR_NOLOGIN.GLOBAL] ldap_user_search_filter = (memberOf=CN=Simple Users,OU=Security Groups,DC=FOOBAR,DC=GLOBAL) default_shell = /bin/sh ad_server = ad01.foobar.global ad_domain = FOOBAR.GLOBAL krb5_realm = FOOBAR.GLOBAL realmd_tags = manages-system joined-with-adcli cache_credentials = False id_provider = ad krb5_store_password_if_offline = True ldap_id_mapping = True use_fully_qualified_names = True fallback_homedir = /home/%u@%d access_provider = simple simple_allow_groups = Simple Users@FOOBAR.GLOBAL
[domain/FOOBAR_ADMINS.GLOBAL] ldap_user_search_filter = (memberOf=CN=Administrators,OU=Security Groups,DC=FOOBAR,DC=GLOBAL) default_shell = /bin/bash ad_server = ad01.foobar.global ad_domain = FOOBAR.GLOBAL krb5_realm = FOOBAR.GLOBAL realmd_tags = manages-system joined-with-adcli cache_credentials = False id_provider = ad krb5_store_password_if_offline = True ldap_id_mapping = True use_fully_qualified_names = True fallback_homedir = /home/%u@%d access_provider = simple simple_allow_groups = Administrators@FOOBAR.GLOBAL _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...