Home / server / Questions / 980282
Accepted
Stefan Seidel
Asked: 2019-08-23 01:20:29 +0800 CST

SSSD storing wrong shell in cache

  • 772

I am using SSSD to authenticate users on Linux against a local Active Directory server (Windows). It works fine, this is my config:

[sssd]
domains = my.domain
config_file_version = 2
services = nss, pam

[domain/my.domain]
ad_domain = my.domain
ad_server = my-dc.my.domain
krb5_realm = MY.DOMAIN
realmd_tags = joined-with-samba
cache_credentials = true
auth_provider = ad
id_provider = ad
krb5_store_password_if_offline = true
default_shell = /bin/bash
ldap_id_mapping = true
use_fully_qualified_names = false
fallback_homedir = /home/%u
access_provider = simple
simple_allow_groups = IT

The problem is: we have one user who wants zsh. So I changed the users loginShell attribute to /usr/bin/zsh. This works fine the first time the user logs in. But as soon as the user has logged in and I do getent passwd username, it says the user's shell is /bin/bash. So when the user logs out and in again, indeed bash is used as shell.

When I do sss_cache -u username, the shell is set correctly again and the user gets the correct shell on login. I do not want to disable caching because any domain controller downtime should not have an impact on the Linux user logins.

I tried to remove default_shell, but it only changes that the default shell is empty instead of /bin/bash, so same behaviour.

active-directory

2 Answers

  1. You can use default in nss section.

    [nss]
default_shell = /bin/bash

    And override using override_shell = <your shell> 

    override_shell (string)
    Override the login shell for all users. This option can be specified globally in the [nss] section or per-domain.

    Edit1: for group specific changes 

    [sssd]
config_file_version = 2
services = nss, pam
domains=DOMAIN_GROUP1,DOMAIN_GROUP2,DOMAIN

[nss]
default_shell = /bin/bash

[domain/DOMAIN_GROUP1]
id_provider = ad
ad_domain = mydomain.local
ad_server = mydc01.domain.local,mydc02.domain.local,mydc03.domain.local
# Restrict to group members
ldap_user_search_base = DC=domain,DC=local?subtree?(memberOf=CN=group1,OU=Groups,DC=domain,DC=local)
# Shell
override_shell = /shell/path/for/group1
# Homedir
override_homedir = /home/%u

#same way for other groups
[domain/DOMAIN_GROUP2]
..........
..........
..........

    Hope this will help.

    • 2
  2. Best Answer

    Since the other answer is completely wrong, here is the actual solution (from https://lists.fedorahosted.org/archives/list/[email protected]/thread/BXFRHRI5VCLTQNE565ZVGZTEGALSNNJY/):

    I wonder if SSSD is connecting to the Global Catalog for some lookups but not others, which yields the POSIX attributes as 'removed' when SSSD looks up the info in GC and effectivelly removes them from the cache.

    Setting: ad_enable_gc = false in the [domain] section would prove if this hypothesis is true.

    So this is the solution, disable the Global Catalog lookups. Many thanks to @Lennie who suggested this also in the first place but I didn't do it until now.

    • 0