Lsass Active Directory
Setting Name | Description |
AssumeDefaultDomain |
Apply domain name prefix to account name at logon. Default value: false |
CreateHomeDir |
Whether home directories should be automatically created upon user logon. Default value: true |
CreateK5Login |
Whether .k5login file is to be created on user logon. Default value: true |
SyncSystemTime |
Whether system time should be syncronized with AD domain controller. Default value: true |
TrimUserMembership |
Whether to remove a cached group membership entry derived from PAC with information from LDAP showing the user disappearing from a group. Default value: true |
LdapSignAndSeal |
Whether all LDAP traffic should be sent both signed and sealed. Default value: false |
LogADNetworkConnectionEvents |
Configure lsass to log events for offline query failures and transitions. Default value: true |
NssEnumerationEnabled |
Whether to enumerate users or groups for NSS. Default value: true |
NssGroupMembersQueryCacheOnly |
Whether to return only cached info for NSS group members. Default value: true |
NssUserMembershipQueryCacheOnly |
Whether to return only cached info for NSS user's groups. Default value: false |
RefreshUserCredentials |
Whether to refresh user credentials against AD domain controller. Default value: true |
CacheEntryExpiry |
Duration for when lsass object cache entries are marked stale. Default value: 14400 |
DomainManagerCheckDomainOnlineInterval |
How often the domain manager should check whether a domain is back online. Default value: 300 |
DomainManagerUnknownDomainCacheTimeout |
How long an unknown domain is cached as unknown in the domain manage. Default value: 3600 |
MachinePasswordLifespan |
Machine password expiration lifespan in seconds. Default value: 2592000 |
ServicePrincipalName |
Update the local krb5 keytab file and computer account service principal name attribute in AD with the provided list of instances. Changes take affect on domain join. The default adds host service class. Default value: host |
MemoryCacheSizeCap |
The maximum bytes to use for the in-memory cache. Old data will be purged if the total cache size exceeds this limit. A value of 0 indicates no limit. Default value: 0 |
HomeDirForceLowercase |
Forces the home directory (/.../domainname/username) to be lowercase. Lowercase home directory is created on user login. If configured, /etc/pbis/user-override file takes precedence. Default value: false |
HomeDirPrefix |
Prefix path for user's home directory. This value is used in place of the %H in the HomeDirTemplate setting. Value must be an absolute path. Default value: /home |
HomeDirTemplate |
Format string for user's home directory path. This value can contain substitution string markers for HomeDirPrefix (%H), Domain (%D), and User (%U). Default value: %H/local/%D/%U |
RemoteHomeDirTemplate |
Format string for the mount path of the remote Windows Folder. This value can contain substitution string markers for HomeDirPrefix (%H), Domain (%D), and User (%U). |
HomeDirUmask |
Umask for home directories. Default value: 022 |
LoginShellTemplate |
Default login shell template. Default value: /bin/sh |
SkeletonDirs |
Skeleton home directory template directories. Default value: /etc/skel |
UserDomainPrefix | Domain short name prefix to be used when AssumeDefaultDomain setting is enabled. |
DomainManagerIgnoreAllTrusts | When true, ignore all trusts during domain enumeration. |
DomainManagerIncludeTrustsList | When DomainManagerIgnoreAllTrusts is true, these trusts are included. |
DomainManagerExcludeTrustsList | When DomainManagerIgnoreAllTrusts is false, these trusts are excluded. |
RequireMembershipOf | Restrict logon access to computer to specific users or group members, or SIDs. |
IgnoreGroupAlias | When enabled, Group Alias will not be used when displaying group names. |
SmartcardEnabled |
Smart Card services will not be used when disabled. Default value: false |
SmartcardRedirector |
Smart Card redirector services will not be used when disabled. Default value: false |
SmartcardRequiredForLogin |
Smart Card will be required for login. Default value: false |