On 09/26/2014 06:52 AM, Joakim Tjernlund wrote:
>>> Don't quite follow here. I do have a local root user
>>> local pw as required by any UNIX I know. I also have a AD root
>> Lets get this straight, you have a user called 'root' in /etc/passwd
>> and another user called 'root' in AD, is this correct ???
> You should name your central user something else. SSSD will deliberately
> not authenticate root because root should be authenticated by pam_unix.
That should be my decision, not enforced by SSSD.
Sorry. Non necessarily true.
root should not fail so SSSD does not process root.
This has been an architectural decision.
However you are welcome to summarize your requirements and file a ticket.
There is a chance that we still fully do not understand what you are
trying to accomplish and why you are trying to do it that way.
Keep in mind that if you are relying on SSSD then you can rely on SUDO
too so you can use non root central name.
This is a recommended approach.
If you do not trust SSSD for root (which is also how it should be as
Stephen explained) then you should rely on pam_unix to process root.
Having root defined centrally because you trust SSSD but do not trust
SUDO does not make much sense, sorry.
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.