I’m playing with the sudo delegation for users, then I’m interested by the ssh shell access to users. I saw that you can give the Remote shell (SSH) access during the creation of the user, but NOT after it is created (grey checkbox)
Then the available solution is to remove the user and recreate it, but all data will be lost…I suppose
Not tested yet with nethserver-directory.
@davidep is it a bug or a feature not completely developed ?
IIRC the problem was the underlying samba-tool: it does not provide an option to change the corresponding LDAP attribute, after user creation.
IMO that checkbox should be removed from that page, because “User U has a shell access to Machine M” depends on both U and M. As we support remote account providers we should also implement a method (GPOs?) to deploy permissions on individual machines, to enforce rules like:
Hi, I think I managed changing the LDAP attribute, so we don’t need to delete user and create new, but maybe it’s a just a workaround for now because we have to allow ldap weak auth.
Add this line to NSDC smb.conf global section: ldap server require strong auth = no and restart samba4 in container.
Detailed solution with templating can be found here:
Create an ldif file, like test.ldif with following content according to your Samba AD dn: cn=markus,cn=Users,dc=ad,dc=local changetype: modify replace: loginShell loginShell: /bin/bash
Then use ldapmodify from Nethserver et voilà! [root@server ~]# ldapmodify -h NSDC-SERVER -D admin@ad.local -w SECRET -f test.ldif modifying entry "cn=markus,cn=Users,dc=ad,dc=local"
You may set loginShell to /usr/libexec/openssh/sftp-server or /bin/false for deactivating shell access.
Hope this helps!
I did an update yesterday for nethserver-delegation-ns6, to set the shell to /bin/bash if the sudo is delegated, reasonably it should be easy for ns7, once we determine which user account we use and write the good relevant template
Indeed, once you allow the shell access to a user, it is on all machines with the remote account provider. For me it is not a bad thing because it is simple.
The use of ldapmodify like @mrmarkuz found could be implemented directly in nethserver-sssd to remove the shell access
I’d rather call “ldbmodify” inside nsdc, like we do with other “samba-tool” invocations. I don’t like the “Accounts operator” group membership of the machine account. It is required during upgrade/migration, but could be replaced by “ldbmodify” calls…
An upstream patch to samba-tool is welcome though…
Hi there, I’m trying to configure SSH access for my boss at the office, you know several things like to probe backups mount and unmount drives, I got ssh access but can’t have the bash [sistemas@nethserver ~]#, to do the same things I have done in the SMEserver.
That was all, Thanks @mrmarkuz, I was trying to do it through
->nethserver-sssd ->user-modify, ->shell: default to /usr/libexec/openssh/sftp-server, if set to /bin/bash the user will be able to access the server using SSH.
That was an easy solution, now is to setup sudo And GUALA!!! a server is fullfitnest.