Thank you Sumit for that clear answer.

Does this restriction applies also so to AD provider? In AD aren't all connections encrypted and authenticated through Kerberos? That question could be quiet naive...

Cheers,

mathias

2015-11-02 14:42 GMT+01:00 Sumit Bose <sbose@redhat.com>:
On Mon, Nov 02, 2015 at 02:15:30PM +0100, mathias dufresne wrote:
> Hi all,
>
> I'm trying to define in my AD administrative accounts for Linux boxes. To
> do that I initially thought to create nominative account with some suffix
> (ex: <username>_adm) and give them UID=0 to make them root accounts.
>
> As SSSD comes with filtering option to avoid some users or groups can
> connect on some given system using SSSD, I would have added these users to
> some groups and finally grant access to one admins group to a first bunch
> of systems, the secodn admins group to a second bunch of systems, etc...
>
> Reading doc and man pages about SSSD sometimes it seems to say that is
> possible to have users retrieved by SSSD when they have UID = 0, sometimes
> it says it is not possible.
>
> For example: man sssd.conf on Centos 7 (sssd 1.12.2
> - 1.12.2-58.el7_1.17.x86_64) gives:
> pam_trusted_users (string)
>            Specifies the comma-separated list of UID values or user names
> that are allowed to access
>            the PAM responder. User names are resolved to UIDs at startup.
>
>            Default: all (All users are allowed to access the PAM responder)
>
>           * Please note that UID 0 is always allowed to access the PAM
> responder even in case it is*
> *           not in the pam_trusted_users list.*
>
> As man pages says users with "UID 0 is always allowed..." I would expected
> this refers users retrieved by SSSD, so that SSSD accept to retrieve users
> with UID=0.

What comes after allowed is important "UID 0 is always allowed to access
the PAM responder". The SSSD responders are interfaces to local services
running on the same host as SSSD. For some of the services one might
want to restrict access. E.g. since the PAM responder handles user
passwords and authentication in some environments it might be useful to
only allow specific local users to access the PAM responder. The comment
in the man page should underline that independent of the configures
restrictions root (UID 0) is always allowed to access the responder.
This is completely unrelated to the user and UIDs read from a remote
server.

>
> Unfortunately even adding "min_id = 0" in my sssd.conf SSSD refuse to show
> uid=0 users.
>
> In SSSD logs I have ldapserach filter shown as follow:
> (&(cn=<username>)(objectclass=user)(cn=*)(&(uidNumber=*)*(!(uidNumber=0))*))
>
> And somewhere I read this is by design that now SSSD refuses to allow users
> with UID=0.
>
> As all that is not too clear for me, where are we now, are users with UID=0
> allowed or not?

No, they are not. SSSD explicitly does not return a user with UID==0.
The risk here would be too high that this gets exploited. E.g. typically
the user entry with the UID is read from an LDAP server. To be
compatible with many existing LDAP setups SSSD does not force SSL/TLS on
the connection which reads the user entry. So SSSD cannot reliable
determine if it talks to the "real" LDAP server or a fake one prepared
by an attacker.

HTH

bye,
Sumit
>
> Cheers,
>
> mathias

> _______________________________________________
> sssd-users mailing list
> sssd-users@lists.fedorahosted.org
> https://lists.fedorahosted.org/mailman/listinfo/sssd-users

_______________________________________________
sssd-users mailing list
sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users