Simo Sorce <simo(a)redhat.com> wrote on 2014/09/26 18:34:56:
On Fri, 26 Sep 2014 13:44:56 +0200
Joakim Tjernlund <joakim.tjernlund(a)transmode.se> wrote:
> I see this the other way, SSSD has little to no technical reason to
> deny an AD root user.
SSSD denies access to any 'root' or uid = 0 users from any domain
regardless of type.
The technical decision was made when we started the project to avoid
causing issues recovering a machine should sssd misbheave. By not
handling the root user we cannot break the root user login.
> It is just an "architectural decision" and best practice
> enforced with no way out.
Indeed, there is no way out, and SSSD internals make it impossible to
easily fix as uid=0 is considered an invalid uid throughout all the
Sorry it does not meet your expectations, but this is how it works.
I understand better now.
Thank you for bearing with me and the history lesson.
We will adapt and make sure sudo and k5login are setup on every install.