Hi all,
I'm trying to define in my AD administrative accounts for Linux boxes. To do that I initially thought to create nominative account with some suffix (ex: <username>_adm) and give them UID=0 to make them root accounts.
As SSSD comes with filtering option to avoid some users or groups can connect on some given system using SSSD, I would have added these users to some groups and finally grant access to one admins group to a first bunch of systems, the secodn admins group to a second bunch of systems, etc...
Reading doc and man pages about SSSD sometimes it seems to say that is possible to have users retrieved by SSSD when they have UID = 0, sometimes it says it is not possible.
For example: man sssd.conf on Centos 7 (sssd 1.12.2 - 1.12.2-58.el7_1.17.x86_64) gives:
pam_trusted_users (string)
Specifies the comma-separated list of UID values or user names that are allowed to access
the PAM responder. User names are resolved to UIDs at startup.
Default: all (All users are allowed to access the PAM responder)
Please note that UID 0 is always allowed to access the PAM responder even in case it is
not in the pam_trusted_users list.
As man pages says users with "UID 0 is always allowed..." I would expected this refers users retrieved by SSSD, so that SSSD accept to retrieve users with UID=0.
Unfortunately even adding "min_id = 0" in my sssd.conf SSSD refuse to show uid=0 users.
In SSSD logs I have ldapserach filter shown as follow:
(&(cn=<username>)(objectclass=user)(cn=*)(&(uidNumber=*)(!(uidNumber=0))))
And somewhere I read this is by design that now SSSD refuses to allow users with UID=0.
As all that is not too clear for me, where are we now, are users with UID=0 allowed or not?
Cheers,
mathias