When managing Linux systems integrated with Active Directory, we often need to apply different shell restrictions based on group membership. The standard /etc/passwd approach doesn't work for centrally managed AD users.
SSSD provides flexible configuration options through its override_homedir and default_shell parameters. Here's how to implement group-specific shell restrictions:
[domain/your.domain.com]
id_provider = ad
access_provider = ad
override_shell = /bin/bash
override_shell_ = /path/to/restricted_script.sh
Here's a full /etc/sssd/sssd.conf example for a production environment:
[sssd]
domains = your.domain.com
services = nss, pam
[domain/your.domain.com]
id_provider = ad
access_provider = ad
ad_domain = your.domain.com
krb5_realm = YOUR.DOMAIN.COM
cache_credentials = True
# Shell overrides
override_shell = /bin/bash
override_shell_restricted_users = /usr/local/bin/restricted_shell.sh
override_shell_developers = /bin/zsh
The restricted shell should prevent users from escaping to a normal shell. Here's a basic example:
#!/bin/bash
# /usr/local/bin/restricted_shell.sh
echo "Welcome to restricted environment"
echo "Available commands:"
echo "1. status"
echo "2. report"
while true; do
read -p "restricted> " cmd
case $cmd in
status) echo "System is operational";;
report) /usr/local/bin/generate_report.sh;;
exit) break;;
*) echo "Invalid command";;
esac
done
After modifying sssd.conf, remember to:
sudo chmod 600 /etc/sssd/sssd.conf
sudo systemctl restart sssd
Test with getent passwd username to verify the shell changes.
If you need more complex logic, consider using PAM with pam_exec:
# /etc/pam.d/sshd
auth required pam_exec.so /usr/local/bin/set_shell_based_on_group.sh
The script would check group membership and set SHELL environment variable accordingly.
When managing Linux systems integrated with Active Directory, administrators often need to implement granular control over user environments. A common requirement is restricting certain AD group members to specific scripts or limited shells while allowing regular users full shell access.
The traditional approach of modifying /etc/passwd doesn't work for AD users since their accounts are centrally managed. Here's how to implement this using SSSD (System Security Services Daemon).
SSSD's ldap_user_extra_attrs and ldap_user_ssh_public_key features can be leveraged to achieve this. Here's a complete configuration example:
[sssd]
services = nss, pam
domains = example.com
[domain/example.com]
id_provider = ad
access_provider = ad
ad_domain = example.com
krb5_realm = EXAMPLE.COM
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
# Critical configuration for shell override
ldap_user_extra_attrs = loginShell:shell
override_shell = /bin/bash
ldap_user_shell = loginShell
To apply different shells based on group membership, we use SSSD's override functionality combined with AD attributes:
- Create an AD attribute (e.g.,
unixLoginShell) for users - Set this attribute to your restricted script path for target users
- Configure SSSD to prefer this attribute:
[domain/example.com]
...
override_shell = /bin/bash
ldap_user_shell = unixLoginShell, loginShell
For more complex scenarios where shell assignment requires additional logic, consider combining SSSD with PAM:
# /etc/pam.d/sshd
auth required pam_succeed_if.so quiet shell = /path/to/restricted/script
auth [default=1 success=ignore] pam_succeed_if.so quiet user notingroup restricted_users
auth sufficient pam_exec.so /usr/local/bin/assign_shell.sh
With a helper script:
#!/bin/bash
# /usr/local/bin/assign_shell.sh
if id -nG "$PAM_USER" | grep -qw "restricted_users"; then
echo "/path/to/restricted/script"
exit 0
else
exit 1
fi
After implementation, verify with:
getent passwd aduser@domain | cut -d: -f7
Common issues to check:
- Ensure the shell path exists and is executable
- Verify proper SELinux context if enabled
- Check SSSD debug logs (
sssd -d 3) for attribute processing
When implementing restricted shells:
- Always use absolute paths
- Set proper permissions (root-owned, 755)
- Consider chroot environments for high-security needs
- Log all restricted shell access attempts