On Tue, 24 Apr 2018, Joakim Tjernlund wrote:
Yes, but every now and then joining the domain or loosing the keytab
computer upgrade happens and then no one can login other than local root and
that is impractical. Can one combine simple LDAP bind with xxx_provider=ad?
How often are you finding you're losing your keytab? If you update a machine,
you shouldn't lose your keytab.
If you reinstall a machine, you should either preserve your keytab, or rejoin
the domain as part of the install.
But for an installed system, I think you quickly reach a point where using
krb5 for NFS/Samba or other services becomes highly desirable, and none of
that flies unless you've got a local keytab.
There are other authentication methods you can use to access a machine
remotely other than as root with a password when SSSD is in an unusable state.
Whether it's possible or not, I'd question whether you really want to go down