On 02/11/15 13:15, mathias dufresne wrote:
Hi all,
I'm trying to define in my AD administrative accounts for Linux boxes.
To do that I initially thought to create nominative account with some
suffix (ex: <username>_adm) and give them UID=0 to make them root
accounts.
As SSSD comes with filtering option to avoid some users or groups can
connect on some given system using SSSD, I would have added these
users to some groups and finally grant access to one admins group to a
first bunch of systems, the secodn admins group to a second bunch of
systems, etc...
Reading doc and man pages about SSSD sometimes it seems to say that is
possible to have users retrieved by SSSD when they have UID = 0,
sometimes it says it is not possible.
For example: man sssd.conf on Centos 7 (sssd 1.12.2
- 1.12.2-58.el7_1.17.x86_64) gives:
pam_trusted_users (string)
Specifies the comma-separated list of UID values or user
names that are allowed to access
the PAM responder. User names are resolved to UIDs at startup.
Default: all (All users are allowed to access the PAM
responder)
* Please note that UID 0 is always allowed to access the PAM responder
even in case it is*
* not in the pam_trusted_users list.*
As man pages says users with "UID 0 is always allowed..." I would
expected this refers users retrieved by SSSD, so that SSSD accept to
retrieve users with UID=0.
Unfortunately even adding "min_id = 0" in my sssd.conf SSSD refuse to
show uid=0 users.
In SSSD logs I have ldapserach filter shown as follow:
(&(cn=<username>)(objectclass=user)(cn=*)(&(uidNumber=*)*(!(uidNumber=0))*))
Hi, never mind the root user, is that a search filter that sssd is
using? it seems to search for a specific user and all users at the same
time.
Rowland
And somewhere I read this is by design that now SSSD refuses to allow
users with UID=0.
As all that is not too clear for me, where are we now, are users with
UID=0 allowed or not?
Cheers,
mathias
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users