Mailinglist Archive: opensuse (880 mails)

< Previous Next >
Re: [opensuse] /etc/passwd compulsory fields
On Tue, 2013-08-20 at 07:57 -0400, Anton Aylward wrote:
Neil Rickert said the following on 08/19/2013 09:32 PM:
On Mon, 19 Aug 2013 22:58:10 +0200
lynn <lynn@xxxxxxxxxxxx> wrote:

OK. It's not the file itself, more what I'm passing to the operating
system. I'm using sssd, which seems to copy username to gecos and
have / as the default home directory even if those attributes are not
populated in AD. It will however allow me to leave login shell blank.
getent then gives me this:
cifsuser:*:3000020:20513:cifsuser:/:
which gives the correct number of ":". I'm not sure whether it's sssd
or AD which decides on the defaults.
Anyway, a bit better.

A blank login shell is interpreted as "/bin/sh". If logins are never
to be allowed for this user, I would typically set the shell to
"/noshell", which does not have a special meaning, but will deny login
as long as "/noshell" does not exist in the file system. Any
non-existent file path would do the same thing.

Please see "man nologin" for the 'polite' way to do this :-)

Hi
I can't get it polite:
hh16:/tmo # nologin
This account is currently not available.
works OK but it's not polite:
hh16:/tmp # su cifsuser
Password:
su: /noshell: No such file or directory

This is what I have in the directory:
cn: cifsuser
objectClass: posixAccount
uidNumber: 3000020
gidNumber: 20513
loginShell: /noshell

Note that unixHomeDirectory and gecos are not set but still appear:
hh16:/tmp # getent passwd cifsuser
cifsuser:*:3000020:20513:cifsuser:/:/noshell

Here is /etc/pam.d/common-auth
auth required pam_env.so
auth optional pam_gnome_keyring.so
auth sufficient pam_unix.so try_first_pass
auth required pam_sss.so use_first_pass

sssd is up and is OK as all domain users with a loginShell can
authenticate and are correctly placed in their home directory.

1. How do I get the polite message?
2. How do I enter a blank gecos
3. how do I enter a blank home directory?
4. Is it possible that cifsuser never be prompted for a password?

Thanks


--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse+owner@xxxxxxxxxxxx

< Previous Next >