SSSD storing wrong shell in cache

Question

I am using SSSD to authenticate users on Linux against a local Active Directory server (Windows). It works fine, this is my config:

[sssd]
domains = my.domain
config_file_version = 2
services = nss, pam

[domain/my.domain]
ad_domain = my.domain
ad_server = my-dc.my.domain
krb5_realm = MY.DOMAIN
realmd_tags = joined-with-samba
cache_credentials = true
auth_provider = ad
id_provider = ad
krb5_store_password_if_offline = true
default_shell = /bin/bash
ldap_id_mapping = true
use_fully_qualified_names = false
fallback_homedir = /home/%u
access_provider = simple
simple_allow_groups = IT

The problem is: we have one user who wants zsh. So I changed the users loginShell attribute to /usr/bin/zsh. This works fine the first time the user logs in. But as soon as the user has logged in and I do getent passwd username, it says the user's shell is /bin/bash. So when the user logs out and in again, indeed bash is used as shell.

When I do sss_cache -u username, the shell is set correctly again and the user gets the correct shell on login. I do not want to disable caching because any domain controller downtime should not have an impact on the Linux user logins.

I tried to remove default_shell, but it only changes that the default shell is empty instead of /bin/bash, so same behaviour.

Where do you set `/usr/bin/zsh` as shell for the user if not via `ldap_user_shell`? — Lenniey, Sep 05 '19 at 09:29
Ah, `ldap_user_shell` defaults to `loginShell`, sorry. Try setting `ad_enable_gc = false` in `[domain]` (for testing only). — Lenniey, Sep 05 '19 at 10:01

asktyagi · Answer 1 · 2019-09-05T11:41:46.777

2

You can use default in nss section.

[nss]
default_shell = /bin/bash

And override using override_shell = <your shell>

override_shell (string)
    Override the login shell for all users. This option can be specified globally in the [nss] section or per-domain.

Edit1: for group specific changes

[sssd]
config_file_version = 2
services = nss, pam
domains=DOMAIN_GROUP1,DOMAIN_GROUP2,DOMAIN

[nss]
default_shell = /bin/bash

[domain/DOMAIN_GROUP1]
id_provider = ad
ad_domain = mydomain.local
ad_server = mydc01.domain.local,mydc02.domain.local,mydc03.domain.local
# Restrict to group members
ldap_user_search_base = DC=domain,DC=local?subtree?(memberOf=CN=group1,OU=Groups,DC=domain,DC=local)
# Shell
override_shell = /shell/path/for/group1
# Homedir
override_homedir = /home/%u

#same way for other groups
[domain/DOMAIN_GROUP2]
..........
..........
..........

Hope this will help.

edited Sep 05 '19 at 11:41

answered Sep 05 '19 at 11:17

asktyagi

2,860
2
8
25

This overrides for *all* users, not only one. – Lenniey Sep 05 '19 at 11:27
updated answer. Not sure if you want that way. – asktyagi Sep 05 '19 at 11:42
Thanks but it doesn't really help if I manually override the shell. The whole point of this is central login management, not individualized. – Stefan Seidel Sep 12 '19 at 13:03

score 0 · Accepted Answer · answered Apr 23 '20 at 06:57

Since the other answer is completely wrong, here is the actual solution (from https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org/thread/BXFRHRI5VCLTQNE565ZVGZTEGALSNNJY/):

I wonder if SSSD is connecting to the Global Catalog for some lookups but not others, which yields the POSIX attributes as 'removed' when SSSD looks up the info in GC and effectivelly removes them from the cache.

Setting: ad_enable_gc = false in the [domain] section would prove if this hypothesis is true.

So this is the solution, disable the Global Catalog lookups. Many thanks to @Lennie who suggested this also in the first place but I didn't do it until now.

SSSD storing wrong shell in cache

2 Answers2