Soham,

It might be that they're worried that if sssd (or AD connection) misbehaves, they're dead in the water. That is, they cannot log in with their ADM account and 'sudo su -' to become root. To fix the problem.

We have a similar situation at work. Cybersecurity dictates no remote root logins. So if a Linux server's AD connection is hosed, we have to pop onto the server's console, log in as root and look up root's current password in the enterprise password vault. Both of these steps are a pain, but can be accomplished.

It turns out one of our particular configuration management tools gives us another (secure) mechanism for Linux system engineers to become root. (But that tool is going away.)

It's rare that our AD integration tools (sssd et al) misbehave, or AD connection misbehaves. But it happens.

It's likely that they're looking ahead and want some alternative pathway to become root that's not dependent on AD + sssd. Or to have their main pathway not dependent on AD + sssd.

Spike

On Thu, Jan 9, 2020 at 12:21 PM Soham Chakraborty <dec.soham@gmail.com> wrote:

Hi all,

I have a requirement where my client is requesting to exclude all users who will become root (by sudo) out of SSSD control.

The way I think it is possible is to not add those users into the sudo rule. Or create those users on the linux side and not keep them on AD at all. Has anyone encountered something like this?

I am trying to gather information as to why they need this. In the meantime if anyone knows how to achieve this, it would be much appreciated.

Thanks,
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org