|
Changing the shell for users on LDAP auth server
Hi,
I'm trying to change the default shell for a group of users on an ubuntu 12.04 server. The server uses LDAP to create and authenticate users so these people aren't in /etc/passwd which leads to root@tgit001:/home# chsh -s /usr/bin/git-shell user1 chsh: user 'user1' does not exist in /etc/passwd root@tgit001:/home# usermod -s /usr/bin/git-shell user1 usermod: user 'user1' does not exist in /etc/passwd I've tried changed the default shell by overriding the ldap attribute for the login shell in /etc/ldap.conf nss_override_attribute_value loginShell /usr/bin/git-shell I then restarted nscd (don't ask me why I was following someone else's post). Thought that would change the shell system-wide for LDAP accounts but nothing changed. Then I tried adding peeps to /etc/passwd manually with a script I wrote Code:
for i in `ldapsearch -xLLL cn=groupNeedingDiffShells | grep memberUid | cut -d ' ' -f 2`; doThe above script works but my boss shot this down since he doesn't want me adding entries manually to /etc/passwd. So I guess my questions are 1. Is adding entries to /etc/passwd manually advisable in this scenario? What are some potential problems that may arise? 2. I don't want to change the loginShell attribute in LDAP for those users since we have a bunch more instances where a bash shell is needed. Is there some way to set a system-wide default shell? Or another command to change a user's shell that will work for LDAP users? THanks |
If a user needs to run some programs in a different shell, they could just throw it in a shell script and execute it that way. Just have to change the shabang line to the type of shell you need.
|
I'm sorry I don't think I gave enough context.
So we want a group of users to only have a git-shell. That way they will only be able to execute git commands and nothing else once they log in. We don't want them to have any other shell access other than a git-shell. |
OK so I found a solution but it's kind of a hack job. Putting it here just for future reference.
For each user in the LDAP group that we want to have git-shells, put a .profile in their home dirs with this line: Code:
SHELL=/usr/bin/git-shell exec /usr/bin/git-shell |
Why not just use ldapmodify to change the loginShell entry of each DN (user) that you want to restrict to git-shell? That seems a lot more straightforward than your method and less error-prone too. Note, you may need to add /usr/bin/git-shell to /etc/shells.
If the users need to authenticate on a different server where they need a real shell, there are ways to do it. I've never used nss overrides, but on one system I have: Code:
map passwd loginShell "/bin/bash"There is a way to filter such that the mapping is only used for some users (but I've never used this), e.g.L Code:
filter passwd "(gidNumber=12345)"I set these in /etc/nslcd.conf on the system. There are a couple other options. If you're using nslcd, you might check it out. I'm not sure if there's similar functionality in nscd or sssd. |
chsh: user '' does not exist in /etc/passwd
if you are using LDAP authentication by PAM or something, you have to find your answer in your LDAP Server , let's aim it for Microsoft AD , in this case your domain account is not in /etc/passwd when you login , but you can see your user property in AD , by #getent passwd | grep user , if at the end it shows your shell is /bin/csh that's because in your AD there is a attribute for that, so if you have administrator account on AD , you can fix it your self otherwise just say it to your AD admin to , enable advance features in View tab of Active directory users and computers > user properties > UNIX attributes > change the login shell to /bin/bash
be sure you didn't forgt : sudo /opt/pbis/bin/config LoginShellTemplate /bin/bash if you used likewise or .. for join done! http://fereidonian.net/?p=52 |
| All times are GMT -5. The time now is 01:33 AM. |