On Tue, Aug 29, 2017 at 01:52:12PM +0000, Eddleman, David via FreeIPA-users 
wrote:
> I’m not using the Default Trust View. This is a brand new trust view.

I cannot reproduce this with a non-default view and a current version of
SSSD either. Which version of SSSD are you using? Can you send the SSSD
domain logs with debug_level=10 which covers the steps on rhel7template?

bye,
Sumit

> 
> David Eddleman
> 
> On 8/29/17, 8:02 AM, "Sumit Bose via FreeIPA-users" 
> <freeipa-users@lists.fedorahosted.org> wrote:
> 
>     On Mon, Aug 28, 2017 at 04:39:46PM +0000, Eddleman, David via 
> FreeIPA-users wrote:
>     > So I've created a ID override on the IPA master called "TestShellView" 
> to test out changing per-user requirements for shells.
>     > 
>     > Verify the ID override on the master:
>     > [root@ipamaster01 ~]# ipa idoverrideuser-find TestShellView
>     > --------------------------
>     > 1 User ID override matched
>     > --------------------------
>     >   Anchor to override: user@domain
>     >   GECOS: TEST ID VIEW
>     >   Login shell: /bin/ksh
>     > ----------------------------
>     > Number of entries returned 1
>     > ----------------------------
>     > 
>     > Good, looks as expected. I also tested the GECOS override just in case 
> such a thing was needed in the future.
>     > 
>     > [root@rhel7template ~]# getent passwd user@domain
>     > user@domain:*:689709720:689709720:TEST ID 
> VIEW:/home/domain/user:/bin/ksh
>     > 
>     > Looks good. It's doing what it's supposed to be doing.
>     > So now we remove the GECOS and shell settings in the webUI and verify 
> via CLI that they're gone:
>     > 
>     > [root@ipamaster01 ~]# ipa idoverrideuser-find TestShellView
>     > --------------------------
>     > 1 User ID override matched
>     > --------------------------
>     >   Anchor to override: user@domain
>     > ----------------------------
>     > Number of entries returned 1
>     > ----------------------------
>     > 
>     > Still good so far. No overrides defined.
>     > 
>     > Clear the cache to verify that the data is fresh.
>     > 
>     > [root@rhel7template ~]# sss_cache -E
>     > [root@rhel7template ~]# getent passwd user@domain
>     > user@domain:*:689709720:689709720:TEST ID 
> VIEW:/home/domain/user:/bin/ksh
>     
>     I'm pretty sure this works as expected with the 'Default Trust View'.
>     I'll try to reproduce with a non-default view.
>     
>     bye,
>     Sumit
>     
>     > 
>     > That's not right...
>     > The default and fallback don't call for ksh either:
>     > 
>     > [root@rhel7template ~]# cat /etc/sssd/sssd.conf | grep shell
>     > allowed_shells = /bin/bash,/bin/sh,/bin/ksh
>     > shell_fallback = /sbin/nologin
>     > default_shell = /bin/bash
>     > 
>     > So let's try purging the cache files...
>     > [root@rhel7template ~]# cd /var/lib/sss/db/
>     > [root@rhel7template db]# ls
>     > <cache file listing>
>     > [root@rhel7template db]# rm -f *
>     > [root@rhel7template db]# ls
>     > [root@rhel7template db]# service sssd restart
>     > Redirecting to /bin/systemctl restart sssd.service
>     > [root@rhel7template db]# getent passwd user@domain
>     > user@domain:*:689709720:689709720:Username:/home/domain/user:/bin/bash
>     > 
>     > Now it's showing what it's supposed to.
>     > 
>     > This shouldn't be happening. If we have to purge sss cache files each 
> time we make an ID Override change, this won't work. Is this expected 
> behavior, or is this a bug?
>     > 
>     > David Eddleman
>     
>     > _______________________________________________
>     > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>     > To unsubscribe send an email to 
> freeipa-users-le...@lists.fedorahosted.org
>     _______________________________________________
>     FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>     To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
>     
> 
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to