[CentOS] Help with default shell

Thu Jun 24 08:43:18 UTC 2021
Hooton, Gerard <g.hooton at ucc.ie>

All  local users in /etc/passwd
These Linux computers [26] are used in a lab and the student accounts are on the LDAP Server.
In this way students can login to any computer in the lab.
The console logins that use LDAP work fine except for the shell issue.
in the /etc/nsswitch.conf I have the following.

passwd:     files sss ldap
shadow:     files sss ldap
group:      files sss ldap



-----Original Message-----
From: Warren Young <warren at etr-usa.com<mailto:Warren%20Young%20%3cwarren at etr-usa.com%3e>>
Reply-To: CentOS mailing list <centos at centos.org<mailto:CentOS%20mailing%20list%20%3ccentos at centos.org%3e>>
To: CentOS mailing list <centos at centos.org<mailto:CentOS%20mailing%20list%20%3ccentos at centos.org%3e>>
Subject: Re: [CentOS] Help with default shell
Date: Wed, 23 Jun 2021 15:13:23 -0600
Mailer: Apple Mail (2.3608.120.23.2.7)/etc/passwd


[EXTERNAL] This email was sent from outside of UCC.


On Jun 23, 2021, at 7:12 AM, Hooton, Gerard <

<mailto:g.hooton at ucc.ie>

g.hooton at ucc.ie

> wrote:


The users are authenticated using OpenLDAP.

On LDAP the default shell is csh.

When  ssh to login it works, i.e. $SHELL = /bin/csh

Also, when using xrdp it works.

However, a login from the  keyboard and screen attached computer we get $SHELL = /bin/bash


The shell is a symptom, not the core issue here.  The core issue is that local console logins aren’t configured to use LDAP on your system, so they fall back to the old flat-file-based user info sources.  (/etc/passwd, /etc/group, /etc/shadow…)


The question then is, do you really *want* local logins to require the LDAP server to be up before it’ll accept a login?  If an LDAP package upgrade roaches things, do you want to be forced to reboot into single-user mode to fix it?  If there’s a network outage between this box and the OpenLDAP server, are you going to wait to log in locally as well until the network’s fixed?


Me, I’d just do a “chsh” on the users or a sed pass on /etc/passwd to change all the shells locally so they match the LDAP configuration so I can have it both ways.


However, if you’re bound and determined to have LDAP be the single source of all user truth, the bit at the end of Step 2 here looks like it should do that:




<https://arthurdejong.org/nss-pam-ldapd/setup>

https://arthurdejong.org/nss-pam-ldapd/setup



May you live to *not* regret doing that!

_______________________________________________

CentOS mailing list

<mailto:CentOS at centos.org>

CentOS at centos.org


<https://lists.centos.org/mailman/listinfo/centos>

https://lists.centos.org/mailman/listinfo/centos


--

Gerard Hooton.
Senior Technical Officer
School of Engineering.
University College Cork.
College Road.
Cork.
Ireland.
Loc8: WDR-04-60G
Tel: +353 21 4902296
Mobile: +353 852813491