Hi all, I have a computer with CentOS 7. The users are authenticated using OpenLDAP. On LDAP the default shell is csh. When ssh to login it works, i.e. $SHELL = /bin/csh Also, when using xrdp it works. However, a login from the keyboard and screen attached computer we get $SHELL = /bin/bash Any help is welcome. Regards, Ger. -- Gerard Hooton. Senior Technical Officer School of Engineering. University College Cork. College Road. Cork. Ireland.
On Jun 23, 2021, at 7:12 AM, Hooton, Gerard <g.hooton at ucc.ie> wrote:> > The users are authenticated using OpenLDAP. > On LDAP the default shell is csh. > When ssh to login it works, i.e. $SHELL = /bin/csh > Also, when using xrdp it works. > However, a login from the keyboard and screen attached computer we get $SHELL = /bin/bashThe shell is a symptom, not the core issue here. The core issue is that local console logins aren?t configured to use LDAP on your system, so they fall back to the old flat-file-based user info sources. (/etc/passwd, /etc/group, /etc/shadow?) The question then is, do you really *want* local logins to require the LDAP server to be up before it?ll accept a login? If an LDAP package upgrade roaches things, do you want to be forced to reboot into single-user mode to fix it? If there?s a network outage between this box and the OpenLDAP server, are you going to wait to log in locally as well until the network?s fixed? Me, I?d just do a ?chsh? on the users or a sed pass on /etc/passwd to change all the shells locally so they match the LDAP configuration so I can have it both ways. However, if you?re bound and determined to have LDAP be the single source of all user truth, the bit at the end of Step 2 here looks like it should do that: https://arthurdejong.org/nss-pam-ldapd/setup May you live to *not* regret doing that!
On Wed, 23 Jun 2021 at 09:13, Hooton, Gerard <g.hooton at ucc.ie> wrote:> > Hi all, > I have a computer with CentOS 7. > The users are authenticated using OpenLDAP. > On LDAP the default shell is csh. > When ssh to login it works, i.e. $SHELL = /bin/csh > Also, when using xrdp it works. > However, a login from the keyboard and screen attached computer we get $SHELL = /bin/bash >So my first thing I would try to do would be to see if `getent passwd <username>` showed different configs when a person logged in different ways. Aka ``` $ ssh foobaz $ getent passwd ssmoogen ssmoogen:x:14353:14353:Stephen Smoogen:/home/ssmoogen:/bin/csh $ exit login: ssmoogen passwd: $ getent passwd ssmoogen:x:14353:14353:Stephen Smoogen:/home/ssmoogen:/bin/bash $ exit ``` In either case, I think from going down the rabbithole of bugs/etc that something in your system is using attribute mapping to force a shell but only for console logins. The general way this is done is sticking map passwd loginShell "/bin/bash" map passwd shell "/bin/bash" Beyond that I do not have any openldap systems to confirm how this would be done.> Any help is welcome. > Regards, > > Ger. > > > > -- > > Gerard Hooton. > Senior Technical Officer > School of Engineering. > University College Cork. > College Road. > Cork. > Ireland. > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos-- Stephen J Smoogen. I've seen things you people wouldn't believe. Flame wars in sci.astro.orion. I have seen SPAM filters overload because of Godwin's Law. All those moments will be lost in time... like posts on BBS... time to reboot.