skel_dir is only valid for domain types with id_provider=local
For any other provider except local, sssd doesn’t create the homedir, it just returns the
homedir value. So any tuning of the skeldir would have to be done on the side that creates
the home directory (pam_mkhomedir or such..)
On 8 Dec 2017, at 07:02, Иван Мастренко <i.mastrenko(a)gmail.com>
wrote:
Hello!
I'm trying to implement system, where could be logged 3 types of ldap users separated
per groups.
First type is full admin, another 2 is a very imited users, with rbash and unical per
group home dir, which defines which commands a allowed to this groups of users.
Can i set per-domain skel dir?
My conf:
[sssd]
services = nss, pam, autofs
config_file_version = 2
domains = 01_HW_ADMINS_DOMAIN, 02_TERMINAL_RESCTRICTEC_ACCESSS_DOMAIN,
03_SECURITY_AUDIT_DOMAIN
[domain/default]
debug_level = 7
[domain/01_HW_ADMINS_DOMAIN]
autofs_provider = ldap
cache_credentials = False
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldap://my.ldap.server:389
ldap_schema = rfc2307
ldap_default_bind_dn = uid=sssd,ou=ServiceAccounts,dc=my,dc=domain
ldap_default_authtok_type = obfuscated_password
ldap_default_authtok = *****
ldap_tls_reqcert = never
ldap_id_use_start_tls = False
ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_search_base = dc=my,dc=domain
ldap_user_search_base =
ou=users,dc=my,dc=domain?subtree?(memberOf=cn=HW_ADMINS,ou=groups,dc=my,dc=domain)
ldap_group_search_base = ou=groups,dc=my,dc=domain
access_provider = ldap
ldap_access_filter = (memberOf=cn=HW_ADMINS,ou=groups,dc=my,dc=domain)
override_homedir = /home/%u
override_gid = 1001
override_shell = /bin/bash
skel_dir = /etc/skel_HWadm/
debug_level = 7
[domain/02_TERMINAL_RESCTRICTEC_ACCESSS_DOMAIN]
autofs_provider = ldap
cache_credentials = False
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldap://my.ldap.server:389
ldap_schema = rfc2307
ldap_default_bind_dn = uid=sssd,ou=ServiceAccounts,dc=my,dc=domain
ldap_default_authtok_type = obfuscated_password
ldap_default_authtok = *****
ldap_tls_reqcert = never
ldap_id_use_start_tls = False
ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_search_base = dc=my,dc=domain
ldap_user_search_base =
ou=users,dc=my,dc=domain?subtree?(memberOf=cn=TERMINAL_RESCTRICTEC_ACCESSS,ou=groups,dc=my,dc=domain)
ldap_group_search_base = ou=groups,dc=my,dc=domain
access_provider = ldap
ldap_access_filter =
(memberOf=cn=TERMINAL_RESCTRICTEC_ACCESSS,ou=groups,dc=my,dc=domain)
override_homedir = /home/%u
override_gid = 1002
override_shell = /bin/rbash
skel_dir = /etc/skel_terminalaccess/
debug_level = 7
[domain/03_SECURITY_AUDIT_DOMAIN]
autofs_provider = ldap
cache_credentials = False
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
sudo_provider = none
ldap_uri = ldap://my.ldap.server:389
ldap_schema = rfc2307
ldap_default_bind_dn = uid=sssd,ou=ServiceAccounts,dc=my,dc=domain
ldap_default_authtok_type = obfuscated_password
ldap_default_authtok = *****
ldap_tls_reqcert = never
ldap_id_use_start_tls = False
ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_search_base = dc=my,dc=domain
ldap_user_search_base =
ou=users,dc=my,dc=domain?subtree?(memberOf=cn=SECURITY_AUDIT,ou=groups,dc=my,dc=domain)
ldap_group_search_base = ou=groups,dc=my,dc=domain
access_provider = ldap
ldap_access_filter = (memberOf=cn=SECURITY_AUDIT,ou=groups,dc=my,dc=domain)
override_homedir = /home/%u
override_gid = 1003
override_shell = /bin/rbash
skel_dir = /etc/skel_secaud/
debug_level = 7
[nss]
homedir_substring = /home
debug_level = 7
[pam]
[autofs]
[ssh]
[pac]
[ifp]
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org