> On 31 Aug 2018, at 17:34, Daniele Raffo <d...@fedoraproject.org> wrote: > > Hello, > > I'm trying to define two sssd groups in order to assign a different login > shell to AD users belonging to two different AD groups in our domain > FOOBAR.GLOBAL. > However, all users are unable to login and get an error "Authentication > failed”.
Are you able to at least resolve the users? What exact name are you using to resolve the users, username@foobar_nologin.global or username@foobar.global? The former would work, the latter would not. btw if all you want is to munge the shell based on group memberships, maybe the sss_override tool would help? > If I change a sssd section to [domain/FOOBAR.GLOBAL] so to reflect the > existing AD domain, users defined in that sssd group are able to login. > However, clearly in this way I cannot define more than one section. > Why is that? How to define sssd sections with names different than the > existing AD domain? > > Thanks in advance. Below is my sssd.conf. > > > [sssd] > domains = FOOBAR_ADMINS.GLOBAL,FOOBAR_NOLOGIN.GLOBAL > config_file_version = 2 > services = nss, pam > > [domain/FOOBAR_NOLOGIN.GLOBAL] > ldap_user_search_filter = (memberOf=CN=Simple Users,OU=Security > Groups,DC=FOOBAR,DC=GLOBAL) > default_shell = /bin/sh > ad_server = ad01.foobar.global > ad_domain = FOOBAR.GLOBAL > krb5_realm = FOOBAR.GLOBAL > realmd_tags = manages-system joined-with-adcli > cache_credentials = False > id_provider = ad > krb5_store_password_if_offline = True > ldap_id_mapping = True > use_fully_qualified_names = True > fallback_homedir = /home/%u@%d > access_provider = simple > simple_allow_groups = Simple Users@FOOBAR.GLOBAL > > [domain/FOOBAR_ADMINS.GLOBAL] > ldap_user_search_filter = (memberOf=CN=Administrators,OU=Security > Groups,DC=FOOBAR,DC=GLOBAL) > default_shell = /bin/bash > ad_server = ad01.foobar.global > ad_domain = FOOBAR.GLOBAL > krb5_realm = FOOBAR.GLOBAL > realmd_tags = manages-system joined-with-adcli > cache_credentials = False > id_provider = ad > krb5_store_password_if_offline = True > ldap_id_mapping = True > use_fully_qualified_names = True > fallback_homedir = /home/%u@%d > access_provider = simple > simple_allow_groups = Administrators@FOOBAR.GLOBAL > _______________________________________________ > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org