SSSD – How to Force Users in Different Groups to Use Different Shells

active-directorysssd

I have an Active Directory working as id, access and auth provider for my CentOS 7 servers using sssd. I have been following this post in order to have users from different groups use different shells as they login but I have some issues.
Here is my sssd.conf file:

[sssd]
domains = dev, domain.local
config_file_version = 2
services = nss, pam

[nss]
default_shell = /bin/bash

[domain/dev]
ad_domain = domain.local
krb5_realm = DOMAIN.LOCAL
ad_server = adserver.domain.local
id_provider = ad
access_provider = ad
ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /home/%u
override_shell = /bin/tcsh
ldap_user_search_base = cn=dev,ou=Security Groups,ou=Domain,dc=domain,dc=local #According to sssd-ldap man page ldap_user_search_filter is deprecated


[domain/domain.local]
ad_server = adserver.domain.local
ad_domain = domain.local
krb5_realm = DOMAIN.LOCAL
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /home/%u
access_provider = ad

The idea is when someone from dev group logins, the shell would be tcsh and when some other folk logins, it uses bash. The issue is, with this conf, I can login succesfully with Smith, a member of dev group and it gets to tcsh succesfully, but if I login with John, member also of the domain but not a member of dev, it happens the following:

Reviewing /var/log/secure I get an authentication failure first from pam_unix and then a success from pam_sss
First user logins as john and get its shell as tcsh (even though it should be bash).Second, user logins as john@domain.local and gets bash. Third, user logins again as john and now it gets correct shell (bash)

Apparently sssd after checking second domain with the FQDN it caches the user shell and on the third login it does it right.
Which is the correct configuration in order to login each user to its correspondent shell?

UPDATE:
It looks like sometimes the login process goes through pam modules alone and sometimes through sssd GPO-based policies taken from the active directory.
I tried disabling the filter and restarting sssd several times and in one of those I got these in the log:

Aug 28 15:42:43 co-proy-02 sssd[be[dev.domain.local]]: Warning: user would have been denied GPO-based logon access if the ad_gpo_access_control option were set to enforcing mode.

With filter disabled user Smith from dev groups succesfully gets tcsh but also does john. With filter enabled both get bash.

UPDATE2
Apparently there is a package named sssd-tools which has a command that would let you override the shell of any separate user, however, after trying this solution I still doesn't get appropiate result.
Here is the command, but at least for me, it's not working as it should:
sss_override user-add smith -s /usr/bin/sh

Best Answer

After a long search and with the help of @ChristopheDrevet-Droguet with the filter ou=Domain,dc=domain,dc=local?subtree?(memberOf=cn=dev,ou=Security Groups,ou=Domain,dc=domain,dc=local) as a base, the only thing missing was a tree of objects to parse, I mean, in which the user could be found.
The sssd should look like the following in order for this to work (at least for me):

[sssd]
domains = dev, domain.local
config_file_version = 2
services = nss, pam

[nss]
default_shell = /bin/bash

[domain/dev]
ad_domain = domain.local
krb5_realm = DOMAIN.LOCAL
ad_server = adserver.domain.local
id_provider = ad
access_provider = ad
ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /home/%u
override_shell = /bin/tcsh
ldap_user_search_base = dc=domain,dc=local??(&(memberOf=cn=dev,ou=Security Groups,ou=Domain,dc=veritran,dc=local)(objectClass=*))


[domain/domain.local]
ad_server = adserver.domain.local
ad_domain = domain.local
krb5_realm = DOMAIN.LOCAL
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /home/%u
access_provider = ad
ldap_user_search_base = dc=domain,dc=local??(&(memberOf=cn=other,ou=Security Groups,ou=Domain,dc=veritran,dc=local)(objectClass=*))

Related Solutions

How to find out what AD groups I’m a member of

Try running gpresult /R for RSoP summary or gpresult /V for verbose output from the command line as an administrator on the computer. It should output something like this:

C:\Windows\system32>gpresult /V

Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001

Created On 2/10/2010 at 10:27:41 AM


RSOP data for OQMSupport01\- on OQMSUPPORT01 : Logging Mode
------------------------------------------------------------

OS Configuration:            Standalone Workstation
OS Version:                  6.1.7600
Site Name:                   N/A
Roaming Profile:             N/A
Local Profile:               C:\Users\-
Connected over a slow link?: No


COMPUTER SETTINGS
------------------

    Last time Group Policy was applied: 2/10/2010 at 10:16:09 AM
    Group Policy was applied from:      N/A
    Group Policy slow link threshold:   500 kbps
    Domain Name:                        OQMSUPPORT01
    Domain Type:                        <Local Computer>

    Applied Group Policy Objects
    -----------------------------
        N/A

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Local Group Policy
            Filtering:  Not Applied (Empty)

    The computer is a part of the following security groups
    -------------------------------------------------------
        System Mandatory Level
        Everyone
        Debugger Users
        IIS_WPG
        SQLServer2005MSSQLUser$OQMSUPPORT01$ACT7
        SQLServerMSSQLServerADHelperUser$OQMSUPPORT01
        BUILTIN\Users
        NT AUTHORITY\SERVICE
        CONSOLE LOGON
        NT AUTHORITY\Authenticated Users
        This Organization
        BDESVC
        BITS
        CertPropSvc
        EapHost
        hkmsvc
        IKEEXT
        iphlpsvc
        LanmanServer
        MMCSS
        MSiSCSI
        RasAuto
        RasMan
        RemoteAccess
        Schedule
        SCPolicySvc
        SENS
        SessionEnv
        SharedAccess
        ShellHWDetection
        wercplsupport
        Winmgmt
        wuauserv
        LOCAL
        BUILTIN\Administrators

USER SETTINGS
--------------

    Last time Group Policy was applied: 2/10/2010 at 10:00:51 AM
    Group Policy was applied from:      N/A
    Group Policy slow link threshold:   500 kbps
    Domain Name:                        OQMSupport01
    Domain Type:                        <Local Computer>

    The user is a part of the following security groups
    ---------------------------------------------------
        None
        Everyone
        Debugger Users
        HomeUsers
        BUILTIN\Administrators
        BUILTIN\Users
        NT AUTHORITY\INTERACTIVE
        CONSOLE LOGON
        NT AUTHORITY\Authenticated Users
        This Organization
        LOCAL
        NTLM Authentication
        High Mandatory Level

    The user has the following security privileges
    ----------------------------------------------

        Bypass traverse checking
        Manage auditing and security log
        Back up files and directories
        Restore files and directories
        Change the system time
        Shut down the system
        Force shutdown from a remote system
        Take ownership of files or other objects
        Debug programs
        Modify firmware environment values
        Profile system performance
        Profile single process
        Increase scheduling priority
        Load and unload device drivers
        Create a pagefile
        Adjust memory quotas for a process
        Remove computer from docking station
        Perform volume maintenance tasks
        Impersonate a client after authentication
        Create global objects
        Change the time zone
        Create symbolic links
        Increase a process working set

Or if you are logged in to a Windows Server OS with the ActiveDirectory PowerShell Module (or Client OS with the Remote Server Administration Tools) try the Get-ADPrincipalGroupMembership cmdlet:

C:\Users\username\Documents> Get-ADPrincipalGroupMembership username | Select name

name
----
Domain Users
All
Announcements
employees_US
remotes
ceo-report
all-engineering
not-sales
Global-NotSales

sssd – Forcing a Specific Shell for Some Group Members

One way to achieve this goal is to declare several domains, restricting the first ones to just the members of a given group.

[sssd]
config_file_version = 2
services = nss, pam
domains=DOMAIN_GROUP1,DOMAIN_GROUP2,DOMAIN

[nss]
default_shell = /bin/bash

[domain/DOMAIN_GROUP1]
id_provider = ad
# Domain
ad_domain = domain.local
# Servers
ad_server = dc01.domain.local,dc02.domain.local,dc03.domain.local
# Restrict to group members
ldap_user_search_base = DC=domain,DC=local?subtree?(memberOf=CN=group1,OU=Groups,DC=domain,DC=local)
# Shell
override_shell = /shell/path/for/group1
# Homedir
override_homedir = /home/%u

[domain/DOMAIN_GROUP2]
id_provider = ad
# Domain
ad_domain = domain.local
# Servers
ad_server = dc01.domain.local,dc02.domain.local,dc03.domain.local
# Restrict to group members
ldap_user_search_base = DC=domain,DC=local?subtree?(memberOf=CN=group2,OU=Groups,DC=domain,DC=local)
# Shell
override_shell = /shell/path/for/group2
# Homedir
override_homedir = /home/%u


[domain/DOMAIN]
id_provider = ad
# Domain
ad_domain = domain.local
# Servers
ad_server = dc01.domain.local,dc02.domain.local,dc03.domain.local
# Homedir
override_homedir = /home/%u

Members of group1 use /shell/path/for/group1, members of group2 use /shell/path/for/group2, all other DOMAIN users use /bin/bash

A downside is if a user is a member of both groups: it will always fall in the first "domain" DOMAIN_GROUP1.

EDIT: use of ldap_user_search_base instead of the deprecated ldap_user_search_filter. It should be working on newer versions of sssd.

Best Answer

Related Solutions

How to find out what AD groups I’m a member of

sssd – Forcing a Specific Shell for Some Group Members

Related Topic