to do that you’d need some kind of mapping facility. Without modifying sssd I’d 
suggest symbolic links.

I thought /bin/shell worked everywhere. It’s /usr/bin that may or may not.

On Jan 26, 2018, at 1:16 PM, Mike Kelly via FreeIPA-users 
<freeipa-users@lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org>>
 wrote:


Hrm, is there any provision for different paths for the same shell on different 
platforms? (E.g. bash on Linux vs FreeBSD)

On Fri, Jan 26, 2018, 1:04 PM Charles Hedrick via FreeIPA-users 
<freeipa-users@lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org>>
 wrote:
Turns out there is a way. It seems to be a recent addition, as it wasn’t in the 
documentation I looked at originally.

[nss]
allowed_shells = *
shell_fallback = /bin/bash

The semantics of allowed_shells is kind of interesting.
* any shell in /etc/shells is OK
* any shell is allowed_shells but not in /etc/shells get replaced by the 
fallback
* if allowed_shells isn’t set, any shell is used, even if it doesn’t exist

So setting allowed_shells to * does what you’d want: any shell in /etc/shells 
is OK. Otherwise you getter the fallback.

* as a possible value is relatively new.

This is really what I’d expect default behavior to be if allowed_shells isn’t 
set.


> On Jan 26, 2018, at 8:20 AM, Robbie Harwood via FreeIPA-users 
> <freeipa-users@lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org>>
>  wrote:
>
> Rob Crittenden via FreeIPA-users 
> <freeipa-users@lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org>>
> writes:
>
>> Charles Hedrick via FreeIPA-users wrote:
>>
>>> One of my staff made a typo in his shell in “ipa user-mod —shell” It
>>> can be hard to recover from, since you can’t login.
>>>
>>> Is there a way to restrict what they can use? Traditionally only
>>> shells in /etc/shells were valid.
>>
>> There is no way currently.
>>
>> Note that part of the problem is which /etc/shells to use? Remember
>> that IPA is centralized and users may be using a number of different
>> operating systems. This is why the default shell is /bin/sh, because
>> it is nearly universal.
>
> At the very least, it would be good to restrict it to /etc/shells on the
> current machine.  Doesn't cover everything, but it's an improvement.
>
> Thanks,
> --Robbie
> _______________________________________________
> FreeIPA-users mailing list -- 
> freeipa-users@lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org>
> To unsubscribe send an email to 
> freeipa-users-le...@lists.fedorahosted.org<mailto:freeipa-users-le...@lists.fedorahosted.org>

_______________________________________________
FreeIPA-users mailing list -- 
freeipa-users@lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org>
To unsubscribe send an email to 
freeipa-users-le...@lists.fedorahosted.org<mailto:freeipa-users-le...@lists.fedorahosted.org>


--

Mike Kelly

_______________________________________________
FreeIPA-users mailing list -- 
freeipa-users@lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org>
To unsubscribe send an email to 
freeipa-users-le...@lists.fedorahosted.org<mailto:freeipa-users-le...@lists.fedorahosted.org>

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to