Hi all,
I'm trying to define in my AD administrative accounts for
Linux boxes. To do that I initially thought to create
nominative account with some suffix (ex: <username>_adm)
and give them UID=0 to make them root accounts.
As SSSD comes with filtering option to avoid some users or
groups can connect on some given system using SSSD, I would
have added these users to some groups and finally grant access
to one admins group to a first bunch of systems, the secodn
admins group to a second bunch of systems, etc...
Reading doc and man pages about SSSD sometimes it seems to
say that is possible to have users retrieved by SSSD when they
have UID = 0, sometimes it says it is not possible.
For example: man sssd.conf on Centos 7 (sssd 1.12.2
- 1.12.2-58.el7_1.17.x86_64) gives:
pam_trusted_users (string)
Specifies the comma-separated list of UID
values or user names that are allowed to access
the PAM responder. User names are resolved to
UIDs at startup.
Default: all (All users are allowed to access
the PAM responder)
Please note that UID 0 is always allowed
to access the PAM responder even in case it is
not in the pam_trusted_users list.
As man pages says users with "UID 0 is always allowed..." I
would expected this refers users retrieved by SSSD, so that
SSSD accept to retrieve users with UID=0.
Unfortunately even adding "min_id = 0" in my sssd.conf SSSD
refuse to show uid=0 users.
In SSSD logs I have ldapserach filter shown as follow:
(&(cn=<username>)(objectclass=user)(cn=*)(&(uidNumber=*)(!(uidNumber=0))))