Re: [Freeipa-users] Default shell for AD-domain accounts
Maybe the difference was that I used a fresh demo installation from windows 2012r2 server. I only added the ad-controller, dns and ntp functionality for testing. (and all the patches...which literaly takes a day to complete on a system with 4 cores and 4G ram) I also found out that dnsseq is not default, so I disabled dnsseq validation on the ipa server in the named.conf. Because this already cost me a day's work debugging and not to mention lack of knowledge on how to do this in ad. Minor side note, according to : https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/trust-requirements.html#dns-realm-settings In the dns verification checks it tells you to verify the kerberos udp record dig +short -t SRV _kerberos._udp.dc._msdcs.ad.example.com. This yields no response There is no udp record in the ad , but there is a tcp record. dig +short -t SRV _kerberos._tcp.dc._msdcs.ad.example.com. This gives a response I also validated the trust on the AD side, I'm not sure this is needed. After doing this I can issue the command : 'id AD.DOMAIN\\ADUSER' and I get a response telling me the uid/gid/ad-id/ad-group etc. Rob Verduijn 2016-01-25 9:24 GMT+01:00 Jakub Hrozek : > On Sun, Jan 24, 2016 at 08:03:09PM +0100, Rob Verduijn wrote: >> Hi, >> >> H microsoft removes the UI, but leaves the schema extension. >> Does not really make sense, but after some googling this does seem to >> be the case. >> >> Your comment made me check google with some different keywords and I >> found that there was this irritation that was solved by somebody. (at >> microsoft) >> >> http://blogs.technet.com/b/sfu/archive/2013/07/08/ldap-calls-made-from-the-unix-client-query-incorrect-login-shell.aspx >> >> That explains why modifying the loginShell attribute did not work. >> >> I put the 'ldap_user_shell=msSFU30LoginShell' in the >> [domain/ipadomain] section from sssd.conf. >> This is required I guess on all ipa-clients that AD-accounts get access to. > > Hmm, is this really required? The thing is that the IPA clients get > their information through an extended operation and it's the SSSD on the > IPA server that does the heavy lifting and just passes the info to the > clients. > > I'll try to find some time later to test this.. > >> >> And now all users seem to get the /bin/bash that can be set in the >> AD-user attribute loginShell >> >> ( glad to see the keep their camel case in sync everywhere in the AD ) >> >> Thanks for thinking along on this one. >> Rob Verduijn >> >> 2016-01-24 16:02 GMT+01:00 Jakub Hrozek : >> > >> >> On 24 Jan 2016, at 12:00, Rob Verduijn wrote: >> >> >> >> Hello, >> >> >> >> I'm trying to get an ipa server to trust a microsoft AD-domain. >> >> >> >> So far I've managed to get the trust to work and I can login with an >> >> active directory user on the ipa clients. >> >> >> >> Now I see the default shell is set to /bin/sh. >> >> Since the preffered shel is bash for me I wish to change this. >> >> It doesn't help to set this in the ipa server config since these >> >> accounts are external ms accounts. >> >> >> >> In the goog old days we used to have posix attributes schemas in the >> >> AD one of them being the shell. >> >> >> >> Sadly this is a thing of the past. >> > >> > >> > Are you referring to IMU being deprecated? IIRC the attributes should >> > work..even though MS is deprecating the UI.. >> > >> > Alternatively, since the clients read the ID info via the server, >> > overrinding the shell in IPA server's sssd.conf should work as well. >> > >> >> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/ex.sssd-ad-posix.html >> >> >> >> How do I define a new default shell for all ms-AD accounts in ipa ? >> >> >> >> Cheers >> >> Rob Verduijn >> >> >> >> -- >> >> Manage your subscription for the Freeipa-users mailing list: >> >> https://www.redhat.com/mailman/listinfo/freeipa-users >> >> Go to http://freeipa.org for more info on the project >> > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Default shell for AD-domain accounts
On Sun, Jan 24, 2016 at 08:03:09PM +0100, Rob Verduijn wrote: > Hi, > > H microsoft removes the UI, but leaves the schema extension. > Does not really make sense, but after some googling this does seem to > be the case. > > Your comment made me check google with some different keywords and I > found that there was this irritation that was solved by somebody. (at > microsoft) > > http://blogs.technet.com/b/sfu/archive/2013/07/08/ldap-calls-made-from-the-unix-client-query-incorrect-login-shell.aspx > > That explains why modifying the loginShell attribute did not work. > > I put the 'ldap_user_shell=msSFU30LoginShell' in the > [domain/ipadomain] section from sssd.conf. > This is required I guess on all ipa-clients that AD-accounts get access to. Hmm, is this really required? The thing is that the IPA clients get their information through an extended operation and it's the SSSD on the IPA server that does the heavy lifting and just passes the info to the clients. I'll try to find some time later to test this.. > > And now all users seem to get the /bin/bash that can be set in the > AD-user attribute loginShell > > ( glad to see the keep their camel case in sync everywhere in the AD ) > > Thanks for thinking along on this one. > Rob Verduijn > > 2016-01-24 16:02 GMT+01:00 Jakub Hrozek : > > > >> On 24 Jan 2016, at 12:00, Rob Verduijn wrote: > >> > >> Hello, > >> > >> I'm trying to get an ipa server to trust a microsoft AD-domain. > >> > >> So far I've managed to get the trust to work and I can login with an > >> active directory user on the ipa clients. > >> > >> Now I see the default shell is set to /bin/sh. > >> Since the preffered shel is bash for me I wish to change this. > >> It doesn't help to set this in the ipa server config since these > >> accounts are external ms accounts. > >> > >> In the goog old days we used to have posix attributes schemas in the > >> AD one of them being the shell. > >> > >> Sadly this is a thing of the past. > > > > > > Are you referring to IMU being deprecated? IIRC the attributes should > > work..even though MS is deprecating the UI.. > > > > Alternatively, since the clients read the ID info via the server, > > overrinding the shell in IPA server's sssd.conf should work as well. > > > >> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/ex.sssd-ad-posix.html > >> > >> How do I define a new default shell for all ms-AD accounts in ipa ? > >> > >> Cheers > >> Rob Verduijn > >> > >> -- > >> Manage your subscription for the Freeipa-users mailing list: > >> https://www.redhat.com/mailman/listinfo/freeipa-users > >> Go to http://freeipa.org for more info on the project > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Default shell for AD-domain accounts
Hi, H microsoft removes the UI, but leaves the schema extension. Does not really make sense, but after some googling this does seem to be the case. Your comment made me check google with some different keywords and I found that there was this irritation that was solved by somebody. (at microsoft) http://blogs.technet.com/b/sfu/archive/2013/07/08/ldap-calls-made-from-the-unix-client-query-incorrect-login-shell.aspx That explains why modifying the loginShell attribute did not work. I put the 'ldap_user_shell=msSFU30LoginShell' in the [domain/ipadomain] section from sssd.conf. This is required I guess on all ipa-clients that AD-accounts get access to. And now all users seem to get the /bin/bash that can be set in the AD-user attribute loginShell ( glad to see the keep their camel case in sync everywhere in the AD ) Thanks for thinking along on this one. Rob Verduijn 2016-01-24 16:02 GMT+01:00 Jakub Hrozek : > >> On 24 Jan 2016, at 12:00, Rob Verduijn wrote: >> >> Hello, >> >> I'm trying to get an ipa server to trust a microsoft AD-domain. >> >> So far I've managed to get the trust to work and I can login with an >> active directory user on the ipa clients. >> >> Now I see the default shell is set to /bin/sh. >> Since the preffered shel is bash for me I wish to change this. >> It doesn't help to set this in the ipa server config since these >> accounts are external ms accounts. >> >> In the goog old days we used to have posix attributes schemas in the >> AD one of them being the shell. >> >> Sadly this is a thing of the past. > > > Are you referring to IMU being deprecated? IIRC the attributes should > work..even though MS is deprecating the UI.. > > Alternatively, since the clients read the ID info via the server, overrinding > the shell in IPA server's sssd.conf should work as well. > >> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/ex.sssd-ad-posix.html >> >> How do I define a new default shell for all ms-AD accounts in ipa ? >> >> Cheers >> Rob Verduijn >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Default shell for AD-domain accounts
> On 24 Jan 2016, at 12:00, Rob Verduijn wrote: > > Hello, > > I'm trying to get an ipa server to trust a microsoft AD-domain. > > So far I've managed to get the trust to work and I can login with an > active directory user on the ipa clients. > > Now I see the default shell is set to /bin/sh. > Since the preffered shel is bash for me I wish to change this. > It doesn't help to set this in the ipa server config since these > accounts are external ms accounts. > > In the goog old days we used to have posix attributes schemas in the > AD one of them being the shell. > > Sadly this is a thing of the past. Are you referring to IMU being deprecated? IIRC the attributes should work..even though MS is deprecating the UI.. Alternatively, since the clients read the ID info via the server, overrinding the shell in IPA server's sssd.conf should work as well. > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/ex.sssd-ad-posix.html > > How do I define a new default shell for all ms-AD accounts in ipa ? > > Cheers > Rob Verduijn > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Default shell for AD-domain accounts
Doing this on a per user basis is nice when you have only a few users. Since I expect this to become a source of frustration in the future for new users., is there any way to automate this with a workaround ? ie somehow pull the groups from the ad and automagically create the user view override ? Cheers Rob Verduijn 2016-01-24 15:40 GMT+01:00 Alexander Bokovoy : > On Sun, 24 Jan 2016, Rob Verduijn wrote: >> >> Hello, >> >> I'm trying to get an ipa server to trust a microsoft AD-domain. >> >> So far I've managed to get the trust to work and I can login with an >> active directory user on the ipa clients. >> >> Now I see the default shell is set to /bin/sh. >> Since the preffered shel is bash for me I wish to change this. >> It doesn't help to set this in the ipa server config since these >> accounts are external ms accounts. >> >> In the goog old days we used to have posix attributes schemas in the >> AD one of them being the shell. >> >> Sadly this is a thing of the past. >> >> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/ex.sssd-ad-posix.html >> >> How do I define a new default shell for all ms-AD accounts in ipa ? > > You can use ID overrides per user to add shell override. > > We don't have templated overrides, though, so these are individual, per > user. > -- > / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Default shell for AD-domain accounts
On Sun, 24 Jan 2016, Rob Verduijn wrote: Hello, I'm trying to get an ipa server to trust a microsoft AD-domain. So far I've managed to get the trust to work and I can login with an active directory user on the ipa clients. Now I see the default shell is set to /bin/sh. Since the preffered shel is bash for me I wish to change this. It doesn't help to set this in the ipa server config since these accounts are external ms accounts. In the goog old days we used to have posix attributes schemas in the AD one of them being the shell. Sadly this is a thing of the past. https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/ex.sssd-ad-posix.html How do I define a new default shell for all ms-AD accounts in ipa ? You can use ID overrides per user to add shell override. We don't have templated overrides, though, so these are individual, per user. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Default shell for AD-domain accounts
Hello, I'm trying to get an ipa server to trust a microsoft AD-domain. So far I've managed to get the trust to work and I can login with an active directory user on the ipa clients. Now I see the default shell is set to /bin/sh. Since the preffered shel is bash for me I wish to change this. It doesn't help to set this in the ipa server config since these accounts are external ms accounts. In the goog old days we used to have posix attributes schemas in the AD one of them being the shell. Sadly this is a thing of the past. https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/ex.sssd-ad-posix.html How do I define a new default shell for all ms-AD accounts in ipa ? Cheers Rob Verduijn -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
