9

The context

I'd like to restrict some AD users to a specific script, limiting what they can do on this particular machine.

So, instead of connecting them with /bin/bash (for instance), I'd like to force them to use /path/to/my/script. Those users are in a specific AD group.

Other people should be able to use the real shell.

The classic way

If those users where local users, I would just change the shell field in /etc/passwd.

The sssd way

Is there a way to provide a different shell value only for the members of that group?

If not, how would you do it?

Christophe Drevet
  • 1,962
  • 2
  • 17
  • 25

2 Answers2

15

One way to achieve this goal is to declare several domains, restricting the first ones to just the members of a given group.

[sssd]
config_file_version = 2
services = nss, pam
domains=DOMAIN_GROUP1,DOMAIN_GROUP2,DOMAIN

[nss]
default_shell = /bin/bash

[domain/DOMAIN_GROUP1]
id_provider = ad
# Domain
ad_domain = domain.local
# Servers
ad_server = dc01.domain.local,dc02.domain.local,dc03.domain.local
# Restrict to group members
ldap_user_search_base = DC=domain,DC=local?subtree?(memberOf=CN=group1,OU=Groups,DC=domain,DC=local)
# Shell
override_shell = /shell/path/for/group1
# Homedir
override_homedir = /home/%u

[domain/DOMAIN_GROUP2]
id_provider = ad
# Domain
ad_domain = domain.local
# Servers
ad_server = dc01.domain.local,dc02.domain.local,dc03.domain.local
# Restrict to group members
ldap_user_search_base = DC=domain,DC=local?subtree?(memberOf=CN=group2,OU=Groups,DC=domain,DC=local)
# Shell
override_shell = /shell/path/for/group2
# Homedir
override_homedir = /home/%u


[domain/DOMAIN]
id_provider = ad
# Domain
ad_domain = domain.local
# Servers
ad_server = dc01.domain.local,dc02.domain.local,dc03.domain.local
# Homedir
override_homedir = /home/%u

Members of group1 use /shell/path/for/group1, members of group2 use /shell/path/for/group2, all other DOMAIN users use /bin/bash

A downside is if a user is a member of both groups: it will always fall in the first "domain" DOMAIN_GROUP1.

EDIT: use of ldap_user_search_base instead of the deprecated ldap_user_search_filter. It should be working on newer versions of sssd.

Christophe Drevet
  • 1,962
  • 2
  • 17
  • 25
  • This is really smart :) – Orsiris de Jong Aug 15 '17 at 18:20
  • However, the AD must be configured to provide the domains DOMAIN_GROUP1 and DOMAIN_GROUP2 as well as DOMAIN. – dr_ Aug 29 '18 at 13:14
  • Not at all. These names are used internally by sssd. The actual AD domain name is the same for both sssd domains: domain.local. It's the ad_domain parameter. – Christophe Drevet Aug 29 '18 at 20:55
  • I've tried this configuration, it does not work: https://unix.stackexchange.com/questions/465103/setting-login-shell-in-sss-configuration-for-users-from-active-directory – dr_ Aug 30 '18 at 15:07
  • It works for me, but I'm using a rather old version of sssd. It seems that the `ldap_user_search_filter` is not supported now. But the ldap_user_search_base seems to support filters. – Christophe Drevet Aug 31 '18 at 06:50
  • I've tried `ldap_user_search_base`, nothing changes. – dr_ Aug 31 '18 at 08:12
2

You probably can't do it to a group, but you can change the shell per user in AD for SSSD. Go into the actual Object attributes using ADSI Edit and change the "loginShell" attribute for the user. Alternatively, you might look into using Puppet to bring GPO like stuff to Linux and perhaps manage it there (I'm not sure that is possible though).

jmp242
  • 668
  • 3
  • 13
  • I don't think you can use puppet or any other config software tout change the way NSS behave. I know I could tell which shell to use in the `loginShell` attribute but I can't use this method: the user may need a real shell on other machines; and I would prefer to not install the msSFU AD extension (which provides the needed attribute, right?) – Christophe Drevet Feb 22 '14 at 13:40
  • 2
    Umm, I believe the attribute exists, and msSFU just gives you a UI other than ADSI edit. Server 2008 and newer are RFC compliant there (I'm pretty sure, as I have server 2008R2 and no SFU installed and I use the attributes all the time for SL6 clients) – jmp242 Feb 24 '14 at 13:12
  • OK. So your answer is valid as long as the user does not have to connect to another machine with a real shell or a different shell script. – Christophe Drevet Feb 24 '14 at 14:12