Lsass Active Directory

Setting Name Description
AssumeDefaultDomain

Apply domain name prefix to account name at logon.

Default Value: false

CreateHomeDir

Whether home directories should be automatically created upon user logon.

Default Value: true

CreateK5Login

Whether .k5login file is to be created on user logon.

Default Value: true

SyncSystemTime

Whether system time should be syncronized with AD domain controller.

Default Value: true

TrimUserMembership

Whether to remove a cached group membership entry derived from PAC with information from LDAP showing the user disappearing from a group.

Default Value: true

LdapSignAndSeal

Whether all LDAP traffic should be sent both signed and sealed.

Default Value: false

LogADNetworkConnectionEvents

Configure lsass to log events for offline query failures and transitions.

Default Value: true

NssEnumerationEnabled

Whether to enumerate users or groups for NSS.

Default Value: true

NssGroupMembersQueryCacheOnly

Whether to return only cached info for NSS group members.

Default Value: true

NssUserMembershipQueryCacheOnly

Whether to return only cached info for NSS user's groups.

Default Value: false

RefreshUserCredentials

Whether to refresh user credentials agaist AD domain controller.

Default Value: true

CacheEntryExpiry

Duration for when lsass object cache entries are marked stale.

Default Value: 14400

DomainManagerCheckDomainOnlineInterval

How often the domain manager should check whether a domain is back online.

Default Value: 300

DomainManagerUnknownDomainCacheTimeout

How long an unknown domain is cached as unknown in the domain manage.

Default Value: 3600

MachinePasswordLifespan

Machine password expiration lifespan in seconds.

Default Value: 2592000

ServicePrincipalName

Update the local krb5 keytab file and computer account service principal name attribute in AD with the provided list of instances.

Changes take affect on domain join. Default adds host service class.

Default Value: host

MemoryCacheSizeCap

The maximum bytes to use for the in-memory cache. Old data will be purged if the total cache size exceeds this limit.

A value of 0 indicates no limit.

Default Value: 0

HomeDirForceLowercase

Forces the home directory (/.../domainname/username) to be lowercase. Lowercase home directory is created on user login. If configured, /etc/pbis/user-override file takes precedence.

Default Value: false

HomeDirPrefix

Prefix path for user's home directory. This value is used in place of the %H in the HomeDirTemplate setting. Value must be an absolute path.

Default Value: /home

HomeDirTemplate

Format string for user's home directory path. This value can contain substitution string markers for HomeDirPrefix (%H), Domain (%D), and User (%U).

Default Value: %H/local/%D/%U

RemoteHomeDirTemplate

Format string for the mount path of the remote Windows Folder.

This value can contain substitution string markers for HomeDirPrefix (%H), Domain (%D), and User (%U).

HomeDirUmask

Umask for home directories.

Default Value: 022

LoginShellTemplate

Default login shell template.

Default Value: /bin/sh

SkeletonDirs

Skeleton home directory template directories.

Default Value: /etc/skel

UserDomainPrefix Domain short name prefix to be used when AssumeDefaultDomain setting is enabled.
DomainManagerIgnoreAllTrusts When true, ignore all trusts during domain enumeration.
DomainManagerIncludeTrustsList When DomainManagerIgnoreAllTrusts is true, these trusts are included.
DomainManagerExcludeTrustsList When DomainManagerIgnoreAllTrusts is false, these trusts are excluded.
RequireMembershipOf Restrict logon access to computer to specific users or group members, or SIDs
IgnoreGroupAlias When enabled, Group Alias will not be used when displaying group names.
SmartcardEnabled

Smart Card services will not be used when disabled.

Default Value: false

SmartcardRedirector

Smart Card redirector services will not be used when disabled.

Default Value: false

SmartcardRequiredForLogin

Smart Card will be required for login.

Default Value: false