All local users in /etc/passwd These Linux computers [26] are used in a lab and the student accounts are on the LDAP Server. In this way students can login to any computer in the lab. The console logins that use LDAP work fine except for the shell issue. in the /etc/nsswitch.conf I have the following. passwd: files sss ldap shadow: files sss ldap group: files sss ldap -----Original Message----- From: Warren Young <warren at etr-usa.com<mailto:Warren%20Young%20%3cwarren at etr-usa.com%3e>> Reply-To: CentOS mailing list <centos at centos.org<mailto:CentOS%20mailing%20list%20%3ccentos at centos.org%3e>> To: CentOS mailing list <centos at centos.org<mailto:CentOS%20mailing%20list%20%3ccentos at centos.org%3e>> Subject: Re: [CentOS] Help with default shell Date: Wed, 23 Jun 2021 15:13:23 -0600 Mailer: Apple Mail (2.3608.120.23.2.7)/etc/passwd [EXTERNAL] This email was sent from outside of UCC. On Jun 23, 2021, at 7:12 AM, Hooton, Gerard < <mailto:g.hooton at ucc.ie> g.hooton at ucc.ie > wrote: The users are authenticated using OpenLDAP. On LDAP the default shell is csh. When ssh to login it works, i.e. $SHELL = /bin/csh Also, when using xrdp it works. However, a login from the keyboard and screen attached computer we get $SHELL = /bin/bash The shell is a symptom, not the core issue here. The core issue is that local console logins aren’t configured to use LDAP on your system, so they fall back to the old flat-file-based user info sources. (/etc/passwd, /etc/group, /etc/shadow…) The question then is, do you really *want* local logins to require the LDAP server to be up before it’ll accept a login? If an LDAP package upgrade roaches things, do you want to be forced to reboot into single-user mode to fix it? If there’s a network outage between this box and the OpenLDAP server, are you going to wait to log in locally as well until the network’s fixed? Me, I’d just do a “chsh” on the users or a sed pass on /etc/passwd to change all the shells locally so they match the LDAP configuration so I can have it both ways. However, if you’re bound and determined to have LDAP be the single source of all user truth, the bit at the end of Step 2 here looks like it should do that: <https://arthurdejong.org/nss-pam-ldapd/setup> https://arthurdejong.org/nss-pam-ldapd/setup May you live to *not* regret doing that! _______________________________________________ CentOS mailing list <mailto:CentOS at centos.org> CentOS at centos.org <https://lists.centos.org/mailman/listinfo/centos> https://lists.centos.org/mailman/listinfo/centos -- Gerard Hooton. Senior Technical Officer School of Engineering. University College Cork. College Road. Cork. Ireland. Loc8: WDR-04-60G Tel: +353 21 4902296 Mobile: +353 852813491