For AD users, I believe you have two options.

1) Set the POSIX value on the user in AD for the shell
2) Set the following in your client's sssd.conf:

override_shell = /bin/bash

This would obviously be global per IPA client.


[] On Behalf Of Jon
Sent: Thursday, February 04, 2016 2:25 PM
Subject: [Freeipa-users] [freeipa-users] How to manage Linux attributes for AD 
users (e.g. how do I set a shell for an AD User)


How does one manage linux attributes for AD users.  Primarily in my case, I'm 
looking to change the default shell to either Bash or KSH depending on the user.

I can create a .profile that either sources bash or ksh rcs... e.g.:

>> $ cat ~/.profile
>> bash ./.bashrc

This is really less than ideal and just seems like the wrong way to do it, 
especially considering we have a tool like FreeIPA.

According to 
 they are no longer supporting Identity Management for Unix.  Does FreeIPA 
honor the attributes set by IDMU?  Even if it's deprecated, I suppose we could 
continue to use it...
This previous FreeIPA 
seems to indicate you can force the shell for anyone in the domain logging into 
that machine, but we have some users who prefer one shell over the other.

I did what I believe to be standard, I created a security group in AD, added 
that group to a group an external group in FreeIPA, then made an internal group 
and added the external group as a member to the internal group.  Unfortunately, 
this doesn't seem to expose any of the AD attributes for management.  Or maybe 
I'm just misunderstanding...

Any thoughts?  How are you managing individual AD user settings?

Jon A

Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to