Dmitri Pal <dpal(a)redhat.com> wrote on 2014/09/26 13:11:38:
On 09/26/2014 06:52 AM, Joakim Tjernlund wrote:
>>>> Don't quite follow here. I do have a local root user in
>>>> local pw as required by any UNIX I know. I also have a AD root
>>> Lets get this straight, you have a user called 'root' in
>>> and another user called 'root' in AD, is this correct ???
>> You should name your central user something else. SSSD will
>> not authenticate root because root should be authenticated
> That should be my decision, not enforced by SSSD.
Sorry. Non necessarily true.
root should not fail so SSSD does not process root.
This has been an architectural decision.
However you are welcome to summarize your requirements and file a
There is a chance that we still fully do not understand what you are
trying to accomplish and why you are trying to do it that way.
I think you do understand by now, it is a simple request.
Keep in mind that if you are relying on SSSD then you can rely on SUDO
too so you can use non root central name.
This is a recommended approach.
If you do not trust SSSD for root (which is also how it should be as
Stephen explained) then you should rely on pam_unix to process root.
Having root defined centrally because you trust SSSD but do not trust
SUDO does not make much sense, sorry.
I see this the other way, SSSD has little to no technical reason to deny
AD root user. It is just an "architectural decision" and best practice
enforced with no way out.