On Fri, 26 Sep 2014 13:44:56 +0200
Joakim Tjernlund <joakim.tjernlund(a)transmode.se> wrote:
I see this the other way, SSSD has little to no technical reason to
deny an AD root user.
SSSD denies access to any 'root' or uid = 0 users from any domain
regardless of type.
The technical decision was made when we started the project to avoid
causing issues recovering a machine should sssd misbheave. By not
handling the root user we cannot break the root user login.
It is just an "architectural decision" and best practice
enforced with no way out.
Indeed, there is no way out, and SSSD internals make it impossible to
easily fix as uid=0 is considered an invalid uid throughout all the
Sorry it does not meet your expectations, but this is how it works.
Simo Sorce * Red Hat, Inc * New York