So I've created a ID override on the IPA master called "TestShellView" to test out changing per-user requirements for shells.
Verify the ID override on the master: [root@ipamaster01 ~]# ipa idoverrideuser-find TestShellView -------------------------- 1 User ID override matched -------------------------- Anchor to override: user@domain GECOS: TEST ID VIEW Login shell: /bin/ksh ---------------------------- Number of entries returned 1 ---------------------------- Good, looks as expected. I also tested the GECOS override just in case such a thing was needed in the future. [root@rhel7template ~]# getent passwd user@domain user@domain:*:689709720:689709720:TEST ID VIEW:/home/domain/user:/bin/ksh Looks good. It's doing what it's supposed to be doing. So now we remove the GECOS and shell settings in the webUI and verify via CLI that they're gone: [root@ipamaster01 ~]# ipa idoverrideuser-find TestShellView -------------------------- 1 User ID override matched -------------------------- Anchor to override: user@domain ---------------------------- Number of entries returned 1 ---------------------------- Still good so far. No overrides defined. Clear the cache to verify that the data is fresh. [root@rhel7template ~]# sss_cache -E [root@rhel7template ~]# getent passwd user@domain user@domain:*:689709720:689709720:TEST ID VIEW:/home/domain/user:/bin/ksh That's not right... The default and fallback don't call for ksh either: [root@rhel7template ~]# cat /etc/sssd/sssd.conf | grep shell allowed_shells = /bin/bash,/bin/sh,/bin/ksh shell_fallback = /sbin/nologin default_shell = /bin/bash So let's try purging the cache files... [root@rhel7template ~]# cd /var/lib/sss/db/ [root@rhel7template db]# ls <cache file listing> [root@rhel7template db]# rm -f * [root@rhel7template db]# ls [root@rhel7template db]# service sssd restart Redirecting to /bin/systemctl restart sssd.service [root@rhel7template db]# getent passwd user@domain user@domain:*:689709720:689709720:Username:/home/domain/user:/bin/bash Now it's showing what it's supposed to. This shouldn't be happening. If we have to purge sss cache files each time we make an ID Override change, this won't work. Is this expected behavior, or is this a bug? David Eddleman
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org