On Thu, Feb 04, 2016 at 01:57:20PM -0600, Jon wrote: > Hi Josh, > > I think that's exactly the problem though, how does one set POSIX > attributes in AD from Linux guests? > > The RedHat documentation has a big warning that the Microsoft IDMU has been > deprecated.
IIRC the UI is, the schema is not. > > >> > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/ex.sssd-ad-posix.html > > Surely you're not suggesting manually editing the AD Schema...? > > Also, another use case is ssh keys. I'm not even sure that IDMU has an > option for "authorized_keys" (and FreeIPA doesn't seem to honor what's in > .ssh/authorized keys... when that file exists I always get prompted for a > password then access denied). For per-AD-user ssh pubkeys, you can use the idviews feature: ipa idoverrideuser-add --sshpubkey=STR see: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/id-views.html same for shells, although as Josh said, shells can be set globally for all users in sssd.conf > > I'm sure there are other per-user level attributes that are required, home > directory perhaps?, but the two big ones are shell and ssh keys. I can't > be the only one who has a use case for managing these attributes for Active > Directory users. > > Thanks, > Jon A > > On Thu, Feb 4, 2016 at 1:30 PM, Baird, Josh <jba...@follett.com> wrote: > > > For AD users, I believe you have two options. > > > > > > > > 1) Set the POSIX value on the user in AD for the shell > > > > 2) Set the following in your client's sssd.conf: > > > > > > > > [nss] > > > > override_shell = /bin/bash > > > > > > > > This would obviously be global per IPA client. > > > > > > > > Josh > > > > > > > > *From:* freeipa-users-boun...@redhat.com [mailto: > > freeipa-users-boun...@redhat.com] *On Behalf Of *Jon > > *Sent:* Thursday, February 04, 2016 2:25 PM > > *To:* email@example.com > > *Subject:* [Freeipa-users] [freeipa-users] How to manage Linux attributes > > for AD users (e.g. how do I set a shell for an AD User) > > > > > > > > Hello, > > > > > > > > How does one manage linux attributes for AD users. Primarily in my case, > > I'm looking to change the default shell to either Bash or KSH depending on > > the user. > > > > > > > > I can create a .profile that either sources bash or ksh rcs... e.g.: > > > > > > > > >> $ cat ~/.profile > > > > >> bash ./.bashrc > > > > > > > > This is really less than ideal and just seems like the wrong way to do it, > > especially considering we have a tool like FreeIPA. > > > > > > > > According to Microsoft > > <http://blogs.technet.com/b/activedirectoryua/archive/2015/01/25/identity-management-for-unix-idmu-is-deprecated-in-windows-server.aspx>, > > they are no longer supporting Identity Management for Unix. Does FreeIPA > > honor the attributes set by IDMU? Even if it's deprecated, I suppose we > > could continue to use it... > > > > This previous FreeIPA thread > > <https://www.redhat.com/archives/freeipa-users/2013-April/msg00007.html> > > seems > > to indicate you can force the shell for anyone in the domain logging into > > that machine, but we have some users who prefer one shell over the other. > > > > > > > > I did what I believe to be standard, I created a security group in AD, > > added that group to a group an external group in FreeIPA, then made an > > internal group and added the external group as a member to the internal > > group. Unfortunately, this doesn't seem to expose any of the AD attributes > > for management. Or maybe I'm just misunderstanding... > > > > > > > > Any thoughts? How are you managing individual AD user settings? > > > > > > > > Thanks, > > > > Jon A > > > > > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project