We have a FreeIPA / IdM environment that talks to Active Directory, where the user accounts live.
In the IdM GUI, I have navigated to: IPA Server -> Configuration And I configured the "Default Shell" to: /bin/bash
However, whenever new users SSH to a server using their AD credentials, they are still put into a /bin/sh shell.
I have created an ID Override for myself by going to: Identity -> ID Views, editing the "Default Trust View", and adding myself. In my ID Override, I have set my own shell to /bin/bash
My guess is that the global option in IPA Server -> Configuration is only applied to local IPA accounts, and not AD accounts. Is that a correct assumption?
Is there any way that we can change the default shell for AD users without having to manually and individually create an ID Override?
White, David via FreeIPA-users wrote:
We have a FreeIPA / IdM environment that talks to Active Directory, where the user accounts live.
In the IdM GUI, I have navigated to: IPA Server -> Configuration And I configured the "Default Shell" to: /bin/bash
However, whenever new users SSH to a server using their AD credentials, they are still put into a /bin/sh shell.
I have created an ID Override for myself by going to: Identity -> ID Views, editing the "Default Trust View", and adding myself. In my ID Override, I have set my own shell to /bin/bash
My guess is that the global option in IPA Server -> Configuration is only applied to local IPA accounts, and not AD accounts. Is that a correct assumption?
Yes.
Is there any way that we can change the default shell for AD users without having to manually and individually create an ID Override?
You can do so directly in sssd by setting default_shell in sssd.conf. See also https://computingforgeeks.com/set-default-login-shell-on-sssd-for-ad-trust-u...
There is no way to tell ipa-client-install to do this automatically. You may be able to drop in a config snippet to do this though.
rob
Thank you. That looks perfect.
We're already placing a custom sssd file, so adding that setting is no big deal.
From: Rob Crittenden rcritten@redhat.com Date: Wednesday, March 4, 2020 at 12:23 PM To: FreeIPA users list freeipa-users@lists.fedorahosted.org Cc: "White, David" whitedm@epb.net Subject: Re: [Freeipa-users] Overriding the Default shell for Active Directory users
White, David via FreeIPA-users wrote: > We have a FreeIPA / IdM environment that talks to Active Directory, where the user accounts live. > > In the IdM GUI, I have navigated to: IPA Server -> Configuration > And I configured the "Default Shell" to:
White, David via FreeIPA-users wrote:
We have a FreeIPA / IdM environment that talks to Active Directory, where the user accounts live.
In the IdM GUI, I have navigated to: IPA Server -> Configuration And I configured the "Default Shell" to: /bin/bash
However, whenever new users SSH to a server using their AD credentials, they are still put into a /bin/sh shell.
I have created an ID Override for myself by going to: Identity -> ID Views, editing the "Default Trust View", and adding myself. In my ID Override, I have set my own shell to /bin/bash
My guess is that the global option in IPA Server -> Configuration is only applied to local IPA accounts, and not AD accounts. Is that a correct assumption?
Yes.
Is there any way that we can change the default shell for AD users without having to manually and individually create an ID Override?
You can do so directly in sssd by setting default_shell in sssd.conf. See also https://computingforgeeks.com/set-default-login-shell-on-sssd-for-ad-trust-u...
There is no way to tell ipa-client-install to do this automatically. You may be able to drop in a config snippet to do this though.
rob
freeipa-users@lists.fedorahosted.org