All,

Our cybersecurity team doesn’t allow Linux sysadmins to directly log in as root.  (violates accountability, auditability and traceability).  We log in with an ADM account, which is then eligible to become root via ‘sudo su –‘.

That is, all members of a particular group are allowed to sudo to root.

This is preferred because with modern sudo versions all sudo sessions are session-logged.

Anyway, if I log in with my ADM account and someone shuts down sssd, it no longer knows what groups I’m in.  That is, the session is still there – but it cannot look up the group names.

[admspike_white@zzzdmsdev06 ~]$ id

uid=2025431 gid=1002 groups=1002,2284295

 

Because the sudo privs are based on group name, it doesn’t allow Linux sysadmins to become root and thus start sssd.

 

Is there a way to cache those group names and memberships?  Say with nscd?  So that if sssd is (temporarily) shut down, we can become root and start up?

 

Obviously, we can go look up the root password for the particular server – but that’s a painful portal.  It’d be better if we could cache group names and memberships, if sssd is temporarily down or offline.

 

(We have other AD integration products that have this “offline caching” feature that can enabled or disabled.)

 

Spike