The config you have does not make any sense, really.
Obviously you have id_mapping turned on - in this case SSSD ignores any RFC2307 attributes
in AD - including loginshell.
If you want SSSD to honour RFC2307 attrs in AD, you need to turn ldap_id_mapping off.
Ondrej
-----Original Message-----
From: faktoriyel [mailto:faktoriyel@yahoo.com]
Sent: Wednesday, September 07, 2016 1:06 PM
To: sssd-users(a)lists.fedorahosted.org
Subject: [SSSD-users] SSSD and Active Directory loginShell and unixHomeDirectory caching
problem.
Hi Guys.
This is my first question in this mailing list and I already apologize for the missing
info and logs . I use rhel 7.2 server and try the login from A.D with pam.. These are my
sssd version info
sssd-common-pac-1.13.0-40.el7.x86_64
sssd-krb5-1.13.0-40.el7.x86_64
python-sssdconfig-1.13.0-40.el7.noarch
sssd-client-1.13.0-40.el7.x86_64
sssd-krb5-common-1.13.0-40.el7.x86_64
sssd-ad-1.13.0-40.el7.x86_64
sssd-ldap-1.13.0-40.el7.x86_64
sssd-proxy-1.13.0-40.el7.x86_64
sssd-common-1.13.0-40.el7.x86_64
sssd-ipa-1.13.0-40.el7.x86_64
sssd-1.13.0-40.el7.x86_64
I have successfully join to A.D. with net ads join and start sssd service . here is my
sssd.conf file
[sssd]
config_file_version = 2
services = nss, pam
domains = xxx.local
[nss]
shell_fallback = /sbin/nologin
allowed_shells = /bin/bash,/bin/sh
default_shell = /sbin/nologin
filter_groups = root
filter_users = root
[domain/default]
cache_credentials = False
ldap_enumeration_refresh_timeout = 600
ldap_purge_cache_timeout = 600
[domain/yurticikargo.local]
id_provider = ad
auth_provider = ad
chpass_provider = ad
access_provider = ad
ad_server = xx01.xx.local,xx03.xx.local
ad_domain = xx.local
ldap_krb5_keytab = /etc/krb5.keytab
ldap_krb5_init_creds = true
ldap_idmap_range_size = 100000000
ldap_idmap_range_max = 2000200000
ldap_schema = ad
cache_credentials = False
ldap_enumeration_refresh_timeout = 600
ldap_purge_cache_timeout = 600
ldap_user_shell = loginShell
after that when I check with getent any user account. I get correct info from active
directory especially abont loginShell and unixHomeDirectory field. I change login method
to sss and login with ssh everything is fine but when I logout and re-login user
loginShell and unixHomeDirectory info dissappear and I fall the nologin shell.
After clean sssd cache file and fresh start sssd
getent passwd xxxx
xxxx:*:1101569237:1101586812:xxxxx:/home/applicationadmins:/bin/bash
after ssh login logout with xxxx user
getent passwd xxxx
xxxx:*:1101569237:1101586812:xxxx:/:/sbin/nologin
I think sssd doesn't cache iloginShell and unixHomeDirectory info from A.D. and when
I login first time write cache some info doesn't include this information. When I
re-login it gets info from cache files and dosen't find loginshell etc. And then I
fall the nologin shell. Is tihs a bug? or am I missing something.?
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
-----
The information contained in this e-mail and in any attachments is confidential and is
designated solely for the attention of the intended recipient(s). If you are not an
intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or
any part thereof. If you have received this e-mail in error, please notify the sender by
return e-mail and delete all copies of this e-mail from your computer system(s). Please
direct any additional queries to: communications(a)s3group.com. Thank You. Silicon and
Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office:
South County Business Park, Leopardstown, Dublin 18.