-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 02/20/2014 03:37 PM, John P Arends wrote:
I’m new to SSSD in general. I configured a RHEL 6.5 machines to
authenticate against a 2008 R2 AD using ldap_id_mapping because
our AD does not have unix information defined for users. All
appears to be working well. I had to add override_homedir =
/home/%u to get home directories to to be created by oddjob
mkhomedir.
The only problem is the group ownership on the home directory is
“domain users” rather than the user’s private group. The default
permissions also allow domain users read/execute access to the
home directory.
It looks like you can change the umask used in
/etc/pam.d/system-auth-ac, but I don’t see where I can control the
group information. Any suggestions on best practices on how to fix
this? I was surprised it wasn’t in the docs.
"Domain Users" most likely *is* the user's primary group. By default,
Active Directory doesn't create user-private groups. If you run 'id
username', you should see "gid=XXX(domain users)" which is telling you
what the default group is.
You will want to change this on the Active Directory side, or else use
a umask on the RHEL system to set the created directories as not
readable by the group members. See
/etc/oddjobd.conf.d/oddjobd-mkhomedir.conf for details. You can modify
the '-u' option to the mkhomedir call to do this.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird -
http://www.enigmail.net/
iEYEARECAAYFAlMGbTwACgkQeiVVYja6o6NihwCglFl7evGM60fjcWKIDn7dnwkh
VE0AoJ+881ANNEsgwgJvZMGs19O0jR5f
=wA9A
-----END PGP SIGNATURE-----