On 25/09/14 20:36, Dmitri Pal wrote:
On 09/25/2014 02:27 PM, Rowland Penny wrote:
> On 25/09/14 17:26, Joakim Tjernlund wrote:
>> Stephen Gallagher <sgallagh(a)redhat.com> wrote on 2014/09/25 17:36:08:
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>> On 09/25/2014 11:01 AM, John Hodrien wrote:
>>>> On Thu, 25 Sep 2014, Joakim Tjernlund wrote:
>>>>> Yes, it is "my" job, not sssd's. Currently sssd dictate
>>>>> system ever should be allowed to login as root, no matter what.
>>>> SSSD dictates that no system should be allowed to login as root
>>>> via SSSD, and that's not quite the same. You're a corner case
>>>> where you're working against standard practice, but I can see why
>>>> you think it should be possible to configure SSSD to allow it,
>>>> given that you can strip away these sanity checks from PAM.
>>> Just to reiterate what I said elsewhere in this thread (without CCing
>>> Joakim, sorry):
>>> There are two reasons why SSSD refuses to handle root:
>>> 1) If SSSD was to crash, only root is capable of restarting it,
>>> debugging it or otherwise fixing the problem. So if you hit a bug and
>>> SSSD was the mechanism you used to log in as root, it cannot be fixed
>>> short of a reboot (and if the bug happens on every run because there
>>> was a regression in an update, your system is hosed.)
>>> 2) Without root in /etc/passwd and /etc/shadow, it's impossible to
>>> boot into single-user mode to fix any issues with the early boot
>> Don't quite follow here. I do have a local root user in passwd/shadow
>> local pw as required by any UNIX I know. I also have a AD root account.
> Lets get this straight, you have a user called 'root' in /etc/passwd
> and another user called 'root' in AD, is this correct ???
You should name your central user something else. SSSD will deliberately
not authenticate root because root should be authenticated by pam_unix.
How about deleting the user called root in AD, choosing another domain
user called adroot. Then use:
username map = /some/file
to make adroot map to root in /some/file?
adroot is now a domain user with uid 0