On 11/30/2016 02:47 PM, Michael Ströder wrote:
Mario Rossi wrote:
I understand your pain, I have the same issue. We have a local emargency user
in /etc/passwd and initially when we deployed servers everything was good.
And then people started to use emergency user on a daily basis
1. Make sure there's an organizational process to provide the credentials needed
for the emergency users and revoke the credentials afterwards.

Emergency users should be used when LDAP fails and there is no other way to get access to the box via ssh. I can recall an incident a few years ago where an admin deleted the bigip_monitoring user thinking that the account is not used. You would think that people would be able to tell what the user is being used for :) In this case the LB took down the ldap farm and emergency user was a savior until the user had been restored.

instead of their ldap accounts to bypass any ldap restrictions or
misconfiguration of the servers.
2. Make sure everything else works as expected for your users in daily life.

Ciao, Michael.

sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org