[SOLVED] Changing the shell for users on LDAP auth server

kfrank · 04-16-2014, 03:11 PM

Hi,

I'm trying to change the default shell for a group of users on an ubuntu 12.04 server. The server uses LDAP to create and authenticate users so these people aren't in /etc/passwd which leads to

root@tgit001:/home# chsh -s /usr/bin/git-shell user1
chsh: user 'user1' does not exist in /etc/passwd
root@tgit001:/home# usermod -s /usr/bin/git-shell user1
usermod: user 'user1' does not exist in /etc/passwd

I've tried changed the default shell by overriding the ldap attribute for the login shell in /etc/ldap.conf

nss_override_attribute_value loginShell /usr/bin/git-shell

I then restarted nscd (don't ask me why I was following someone else's post). Thought that would change the shell system-wide for LDAP accounts but nothing changed.

Then I tried adding peeps to /etc/passwd manually with a script I wrote

Code:

for i in `ldapsearch -xLLL cn=groupNeedingDiffShells | grep memberUid | cut -d ' ' -f 2`; do
    if [[ "$i" != "boss1" ]] && [[ "$i" != "boss2" ]]; then
        echo "Provisioning git-shell environment for $i..."
        if grep --quiet "$i:" /etc/passwd; then
            echo "$i is already in /etc/passwd"
        else
            echo `getent passwd $i` >> /etc/passwd
        fi

        /usr/sbin/usermod -s /usr/bin/git-shell $i

        if [ ! -d /home/$i/git-shell-commands ]; then
            /bin/cp -R /usr/bin/git-shell-commands /home/$i/
            /bin/chown -R $i:$i /home/$i/git-shell-commands
            /bin/chmod -R 755 /home/$i/git-shell-commands
        fi

    fi
done

The above script works but my boss shot this down since he doesn't want me adding entries manually to /etc/passwd. So I guess my questions are

1. Is adding entries to /etc/passwd manually advisable in this scenario? What are some potential problems that may arise?

2. I don't want to change the loginShell attribute in LDAP for those users since we have a bunch more instances where a bash shell is needed. Is there some way to set a system-wide default shell? Or another command to change a user's shell that will work for LDAP users?

THanks

YankeePride13 · 04-17-2014, 08:35 AM

If a user needs to run some programs in a different shell, they could just throw it in a shell script and execute it that way. Just have to change the shabang line to the type of shell you need.

kfrank · 04-17-2014, 11:29 AM

I'm sorry I don't think I gave enough context.

So we want a group of users to only have a git-shell. That way they will only be able to execute git commands and nothing else once they log in. We don't want them to have any other shell access other than a git-shell.

kfrank · 04-17-2014, 02:08 PM

OK so I found a solution but it's kind of a hack job. Putting it here just for future reference.

For each user in the LDAP group that we want to have git-shells, put a .profile in their home dirs with this line:

Code:

SHELL=/usr/bin/git-shell exec /usr/bin/git-shell

This opens up a git-shell for that user at login and never lets them have a bash shell. We're not going to use this however - turns out the way users are being created on that instance is screwy. We're working on fixing that rather than hacking together a way to give out git-shells to peeps right now.

btmiller · 04-20-2014, 11:33 AM

Why not just use ldapmodify to change the loginShell entry of each DN (user) that you want to restrict to git-shell? That seems a lot more straightforward than your method and less error-prone too. Note, you may need to add /usr/bin/git-shell to /etc/shells.

If the users need to authenticate on a different server where they need a real shell, there are ways to do it. I've never used nss overrides, but on one system I have:

Code:

map passwd loginShell "/bin/bash"

to force all LDAP users' shells to be /bin/bash on that particular server.

There is a way to filter such that the mapping is only used for some users (but I've never used this), e.g.L

Code:

filter passwd "(gidNumber=12345)"
map passwd loginShell "/usr/bin/git-shell"

This would make the shell of all users with a primary GID of 12345 /usr/bin/git-shell, if I read the documentation correctly.

I set these in /etc/nslcd.conf on the system. There are a couple other options. If you're using nslcd, you might check it out. I'm not sure if there's similar functionality in nscd or sssd.

masoudmmf · 06-04-2015, 12:01 PM

if you are using LDAP authentication by PAM or something, you have to find your answer in your LDAP Server , let's aim it for Microsoft AD , in this case your domain account is not in /etc/passwd when you login , but you can see your user property in AD , by #getent passwd | grep user , if at the end it shows your shell is /bin/csh that's because in your AD there is a attribute for that, so if you have administrator account on AD , you can fix it your self otherwise just say it to your AD admin to , enable advance features in View tab of Active directory users and computers > user properties > UNIX attributes > change the login shell to /bin/bash

be sure you didn't forgt :
sudo /opt/pbis/bin/config LoginShellTemplate /bin/bash

if you used likewise or .. for join

done!
http://fereidonian.net/?p=52