I’m not using the Default Trust View. This is a brand new trust view. David Eddleman
On 8/29/17, 8:02 AM, "Sumit Bose via FreeIPA-users" <[email protected]> wrote: On Mon, Aug 28, 2017 at 04:39:46PM +0000, Eddleman, David via FreeIPA-users wrote: > So I've created a ID override on the IPA master called "TestShellView" to test out changing per-user requirements for shells. > > Verify the ID override on the master: > [root@ipamaster01 ~]# ipa idoverrideuser-find TestShellView > -------------------------- > 1 User ID override matched > -------------------------- > Anchor to override: user@domain > GECOS: TEST ID VIEW > Login shell: /bin/ksh > ---------------------------- > Number of entries returned 1 > ---------------------------- > > Good, looks as expected. I also tested the GECOS override just in case such a thing was needed in the future. > > [root@rhel7template ~]# getent passwd user@domain > user@domain:*:689709720:689709720:TEST ID VIEW:/home/domain/user:/bin/ksh > > Looks good. It's doing what it's supposed to be doing. > So now we remove the GECOS and shell settings in the webUI and verify via CLI that they're gone: > > [root@ipamaster01 ~]# ipa idoverrideuser-find TestShellView > -------------------------- > 1 User ID override matched > -------------------------- > Anchor to override: user@domain > ---------------------------- > Number of entries returned 1 > ---------------------------- > > Still good so far. No overrides defined. > > Clear the cache to verify that the data is fresh. > > [root@rhel7template ~]# sss_cache -E > [root@rhel7template ~]# getent passwd user@domain > user@domain:*:689709720:689709720:TEST ID VIEW:/home/domain/user:/bin/ksh I'm pretty sure this works as expected with the 'Default Trust View'. I'll try to reproduce with a non-default view. bye, Sumit > > That's not right... > The default and fallback don't call for ksh either: > > [root@rhel7template ~]# cat /etc/sssd/sssd.conf | grep shell > allowed_shells = /bin/bash,/bin/sh,/bin/ksh > shell_fallback = /sbin/nologin > default_shell = /bin/bash > > So let's try purging the cache files... > [root@rhel7template ~]# cd /var/lib/sss/db/ > [root@rhel7template db]# ls > <cache file listing> > [root@rhel7template db]# rm -f * > [root@rhel7template db]# ls > [root@rhel7template db]# service sssd restart > Redirecting to /bin/systemctl restart sssd.service > [root@rhel7template db]# getent passwd user@domain > user@domain:*:689709720:689709720:Username:/home/domain/user:/bin/bash > > Now it's showing what it's supposed to. > > This shouldn't be happening. If we have to purge sss cache files each time we make an ID Override change, this won't work. Is this expected behavior, or is this a bug? > > David Eddleman > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
