Afaik it should be possible to set a users umask by putting something
like "umask=0007" in the GECOS field in combination with pam_umask.so.
pam_umask.so seems to be present on our systems. What I do not know is
in which file (at which exact position) I would have to put "session
optional
> On 14 Apr 2019, at 08:54, Alexander Bokovoy via FreeIPA-users
> wrote:
>
>>
>> It does work on the FreeIPA server all the time but fails on clients,
>> if I lookup the conflicting group before the use on the client it also
>> woks.
> This is SSSD-specific issue. Sometimes it doesn't have
