I’m not using the Default Trust View. This is a brand new trust view.

David Eddleman

On 8/29/17, 8:02 AM, "Sumit Bose via FreeIPA-users" 
<freeipa-users@lists.fedorahosted.org> wrote:

    On Mon, Aug 28, 2017 at 04:39:46PM +0000, Eddleman, David via FreeIPA-users 
wrote:
    > So I've created a ID override on the IPA master called "TestShellView" to 
test out changing per-user requirements for shells.
    > 
    > Verify the ID override on the master:
    > [root@ipamaster01 ~]# ipa idoverrideuser-find TestShellView
    > --------------------------
    > 1 User ID override matched
    > --------------------------
    >   Anchor to override: user@domain
    >   GECOS: TEST ID VIEW
    >   Login shell: /bin/ksh
    > ----------------------------
    > Number of entries returned 1
    > ----------------------------
    > 
    > Good, looks as expected. I also tested the GECOS override just in case 
such a thing was needed in the future.
    > 
    > [root@rhel7template ~]# getent passwd user@domain
    > user@domain:*:689709720:689709720:TEST ID VIEW:/home/domain/user:/bin/ksh
    > 
    > Looks good. It's doing what it's supposed to be doing.
    > So now we remove the GECOS and shell settings in the webUI and verify via 
CLI that they're gone:
    > 
    > [root@ipamaster01 ~]# ipa idoverrideuser-find TestShellView
    > --------------------------
    > 1 User ID override matched
    > --------------------------
    >   Anchor to override: user@domain
    > ----------------------------
    > Number of entries returned 1
    > ----------------------------
    > 
    > Still good so far. No overrides defined.
    > 
    > Clear the cache to verify that the data is fresh.
    > 
    > [root@rhel7template ~]# sss_cache -E
    > [root@rhel7template ~]# getent passwd user@domain
    > user@domain:*:689709720:689709720:TEST ID VIEW:/home/domain/user:/bin/ksh
    
    I'm pretty sure this works as expected with the 'Default Trust View'.
    I'll try to reproduce with a non-default view.
    
    bye,
    Sumit
    
    > 
    > That's not right...
    > The default and fallback don't call for ksh either:
    > 
    > [root@rhel7template ~]# cat /etc/sssd/sssd.conf | grep shell
    > allowed_shells = /bin/bash,/bin/sh,/bin/ksh
    > shell_fallback = /sbin/nologin
    > default_shell = /bin/bash
    > 
    > So let's try purging the cache files...
    > [root@rhel7template ~]# cd /var/lib/sss/db/
    > [root@rhel7template db]# ls
    > <cache file listing>
    > [root@rhel7template db]# rm -f *
    > [root@rhel7template db]# ls
    > [root@rhel7template db]# service sssd restart
    > Redirecting to /bin/systemctl restart sssd.service
    > [root@rhel7template db]# getent passwd user@domain
    > user@domain:*:689709720:689709720:Username:/home/domain/user:/bin/bash
    > 
    > Now it's showing what it's supposed to.
    > 
    > This shouldn't be happening. If we have to purge sss cache files each 
time we make an ID Override change, this won't work. Is this expected behavior, 
or is this a bug?
    > 
    > David Eddleman
    
    > _______________________________________________
    > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
    > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
    _______________________________________________
    FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
    To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
    

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to