skel_dir is only valid for domain types with id_provider=local For any other provider except local, sssd doesn’t create the homedir, it just returns the homedir value. So any tuning of the skeldir would have to be done on the side that creates the home directory (pam_mkhomedir or such..)
> On 8 Dec 2017, at 07:02, Иван Мастренко <[email protected]> wrote: > > Hello! > I'm trying to implement system, where could be logged 3 types of ldap users > separated per groups. > First type is full admin, another 2 is a very imited users, with rbash and > unical per group home dir, which defines which commands a allowed to this > groups of users. > > Can i set per-domain skel dir? > > My conf: > > [sssd] > services = nss, pam, autofs > config_file_version = 2 > domains = 01_HW_ADMINS_DOMAIN, 02_TERMINAL_RESCTRICTEC_ACCESSS_DOMAIN, > 03_SECURITY_AUDIT_DOMAIN > > > [domain/default] > debug_level = 7 > > > [domain/01_HW_ADMINS_DOMAIN] > autofs_provider = ldap > cache_credentials = False > id_provider = ldap > auth_provider = ldap > chpass_provider = ldap > > ldap_uri = ldap://my.ldap.server:389 > ldap_schema = rfc2307 > ldap_default_bind_dn = uid=sssd,ou=ServiceAccounts,dc=my,dc=domain > ldap_default_authtok_type = obfuscated_password > ldap_default_authtok = ***** > > ldap_tls_reqcert = never > ldap_id_use_start_tls = False > ldap_tls_cacertdir = /etc/openldap/cacerts > > ldap_search_base = dc=my,dc=domain > ldap_user_search_base = > ou=users,dc=my,dc=domain?subtree?(memberOf=cn=HW_ADMINS,ou=groups,dc=my,dc=domain) > ldap_group_search_base = ou=groups,dc=my,dc=domain > > access_provider = ldap > ldap_access_filter = (memberOf=cn=HW_ADMINS,ou=groups,dc=my,dc=domain) > > override_homedir = /home/%u > override_gid = 1001 > override_shell = /bin/bash > skel_dir = /etc/skel_HWadm/ > > debug_level = 7 > > > [domain/02_TERMINAL_RESCTRICTEC_ACCESSS_DOMAIN] > autofs_provider = ldap > cache_credentials = False > id_provider = ldap > auth_provider = ldap > chpass_provider = ldap > > ldap_uri = ldap://my.ldap.server:389 > ldap_schema = rfc2307 > ldap_default_bind_dn = uid=sssd,ou=ServiceAccounts,dc=my,dc=domain > ldap_default_authtok_type = obfuscated_password > ldap_default_authtok = ***** > > ldap_tls_reqcert = never > ldap_id_use_start_tls = False > ldap_tls_cacertdir = /etc/openldap/cacerts > > ldap_search_base = dc=my,dc=domain > ldap_user_search_base = > ou=users,dc=my,dc=domain?subtree?(memberOf=cn=TERMINAL_RESCTRICTEC_ACCESSS,ou=groups,dc=my,dc=domain) > ldap_group_search_base = ou=groups,dc=my,dc=domain > > access_provider = ldap > ldap_access_filter = > (memberOf=cn=TERMINAL_RESCTRICTEC_ACCESSS,ou=groups,dc=my,dc=domain) > > override_homedir = /home/%u > override_gid = 1002 > override_shell = /bin/rbash > skel_dir = /etc/skel_terminalaccess/ > > > debug_level = 7 > > > > [domain/03_SECURITY_AUDIT_DOMAIN] > autofs_provider = ldap > cache_credentials = False > id_provider = ldap > auth_provider = ldap > chpass_provider = ldap > sudo_provider = none > > ldap_uri = ldap://my.ldap.server:389 > ldap_schema = rfc2307 > ldap_default_bind_dn = uid=sssd,ou=ServiceAccounts,dc=my,dc=domain > ldap_default_authtok_type = obfuscated_password > ldap_default_authtok = ***** > > ldap_tls_reqcert = never > ldap_id_use_start_tls = False > ldap_tls_cacertdir = /etc/openldap/cacerts > > ldap_search_base = dc=my,dc=domain > ldap_user_search_base = > ou=users,dc=my,dc=domain?subtree?(memberOf=cn=SECURITY_AUDIT,ou=groups,dc=my,dc=domain) > ldap_group_search_base = ou=groups,dc=my,dc=domain > > access_provider = ldap > ldap_access_filter = (memberOf=cn=SECURITY_AUDIT,ou=groups,dc=my,dc=domain) > > override_homedir = /home/%u > override_gid = 1003 > override_shell = /bin/rbash > skel_dir = /etc/skel_secaud/ > > debug_level = 7 > > > > [nss] > homedir_substring = /home > debug_level = 7 > > [pam] > > [autofs] > > [ssh] > > [pac] > > [ifp] > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
