sssd – Forcing a Specific Shell for Some Group Members

active-directorysssd

The context

I'd like to restrict some AD users to a specific script, limiting what they can do on this particular machine.

So, instead of connecting them with /bin/bash (for instance), I'd like to force them to use /path/to/my/script. Those users are in a specific AD group.

Other people should be able to use the real shell.

The classic way

If those users where local users, I would just change the shell field in /etc/passwd.

The sssd way

Is there a way to provide a different shell value only for the members of that group?

If not, how would you do it?

Best Answer

One way to achieve this goal is to declare several domains, restricting the first ones to just the members of a given group.

[sssd]
config_file_version = 2
services = nss, pam
domains=DOMAIN_GROUP1,DOMAIN_GROUP2,DOMAIN

[nss]
default_shell = /bin/bash

[domain/DOMAIN_GROUP1]
id_provider = ad
# Domain
ad_domain = domain.local
# Servers
ad_server = dc01.domain.local,dc02.domain.local,dc03.domain.local
# Restrict to group members
ldap_user_search_base = DC=domain,DC=local?subtree?(memberOf=CN=group1,OU=Groups,DC=domain,DC=local)
# Shell
override_shell = /shell/path/for/group1
# Homedir
override_homedir = /home/%u

[domain/DOMAIN_GROUP2]
id_provider = ad
# Domain
ad_domain = domain.local
# Servers
ad_server = dc01.domain.local,dc02.domain.local,dc03.domain.local
# Restrict to group members
ldap_user_search_base = DC=domain,DC=local?subtree?(memberOf=CN=group2,OU=Groups,DC=domain,DC=local)
# Shell
override_shell = /shell/path/for/group2
# Homedir
override_homedir = /home/%u


[domain/DOMAIN]
id_provider = ad
# Domain
ad_domain = domain.local
# Servers
ad_server = dc01.domain.local,dc02.domain.local,dc03.domain.local
# Homedir
override_homedir = /home/%u

Members of group1 use /shell/path/for/group1, members of group2 use /shell/path/for/group2, all other DOMAIN users use /bin/bash

A downside is if a user is a member of both groups: it will always fall in the first "domain" DOMAIN_GROUP1.

EDIT: use of ldap_user_search_base instead of the deprecated ldap_user_search_filter. It should be working on newer versions of sssd.

The context

The classic way

The sssd way

Best Answer

Related Solutions

Security – Group Policy: Administrator Rights for Specific Users on Specific Computers

Linux – Override template shell on linux system in Active Directory domain

Related Topic