> One part of the question is not clear to me:
> Is the context AD users coming via trusts or is the client configured to
> access AD directly?
They are from trust, not directly.
> Anyhow, you can override the shell on the client using the
> override_shell directive of sssd.conf. Simply put it into the domain
> section and restart the SSSD.
Thanks for that tip, will try that one.
Let me also note that changing the default shell doesn't change the
shell for any existing users (not entirely sure how this applies to
trust users, it might get particularly wonky on different machines as
each machine's sssd cache could have a different shell).
Freeipa-users mailing list