Hi Josh, I think that's exactly the problem though, how does one set POSIX attributes in AD from Linux guests?
The RedHat documentation has a big warning that the Microsoft IDMU has been deprecated. >> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/ex.sssd-ad-posix.html Surely you're not suggesting manually editing the AD Schema...? Also, another use case is ssh keys. I'm not even sure that IDMU has an option for "authorized_keys" (and FreeIPA doesn't seem to honor what's in .ssh/authorized keys... when that file exists I always get prompted for a password then access denied). I'm sure there are other per-user level attributes that are required, home directory perhaps?, but the two big ones are shell and ssh keys. I can't be the only one who has a use case for managing these attributes for Active Directory users. Thanks, Jon A On Thu, Feb 4, 2016 at 1:30 PM, Baird, Josh <jba...@follett.com> wrote: > For AD users, I believe you have two options. > > > > 1) Set the POSIX value on the user in AD for the shell > > 2) Set the following in your client's sssd.conf: > > > > [nss] > > override_shell = /bin/bash > > > > This would obviously be global per IPA client. > > > > Josh > > > > *From:* freeipa-users-boun...@redhat.com [mailto: > freeipa-users-boun...@redhat.com] *On Behalf Of *Jon > *Sent:* Thursday, February 04, 2016 2:25 PM > *To:* freeipa-users@redhat.com > *Subject:* [Freeipa-users] [freeipa-users] How to manage Linux attributes > for AD users (e.g. how do I set a shell for an AD User) > > > > Hello, > > > > How does one manage linux attributes for AD users. Primarily in my case, > I'm looking to change the default shell to either Bash or KSH depending on > the user. > > > > I can create a .profile that either sources bash or ksh rcs... e.g.: > > > > >> $ cat ~/.profile > > >> bash ./.bashrc > > > > This is really less than ideal and just seems like the wrong way to do it, > especially considering we have a tool like FreeIPA. > > > > According to Microsoft > <http://blogs.technet.com/b/activedirectoryua/archive/2015/01/25/identity-management-for-unix-idmu-is-deprecated-in-windows-server.aspx>, > they are no longer supporting Identity Management for Unix. Does FreeIPA > honor the attributes set by IDMU? Even if it's deprecated, I suppose we > could continue to use it... > > This previous FreeIPA thread > <https://www.redhat.com/archives/freeipa-users/2013-April/msg00007.html> seems > to indicate you can force the shell for anyone in the domain logging into > that machine, but we have some users who prefer one shell over the other. > > > > I did what I believe to be standard, I created a security group in AD, > added that group to a group an external group in FreeIPA, then made an > internal group and added the external group as a member to the internal > group. Unfortunately, this doesn't seem to expose any of the AD attributes > for management. Or maybe I'm just misunderstanding... > > > > Any thoughts? How are you managing individual AD user settings? > > > > Thanks, > > Jon A > > >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project