Hi all,
I'm trying to define in my AD administrative accounts for Linux boxes. To
do that I initially thought to create nominative account with some suffix
(ex: <username>_adm) and give them UID=0 to make them root accounts.
As SSSD comes with filtering option to avoid some users or groups can
connect on some given system using SSSD, I would have added these users to
some groups and finally grant access to one admins group to a first bunch
of systems, the secodn admins group to a second bunch of systems, etc...
Reading doc and man pages about SSSD sometimes it seems to say that is
possible to have users retrieved by SSSD when they have UID = 0, sometimes
it says it is not possible.
For example: man sssd.conf on Centos 7 (sssd 1.12.2
- 1.12.2-58.el7_1.17.x86_64) gives:
pam_trusted_users (string)
Specifies the comma-separated list of UID values or user names
that are allowed to access
the PAM responder. User names are resolved to UIDs at startup.
Default: all (All users are allowed to access the PAM responder)
* Please note that UID 0 is always allowed to access the PAM
responder even in case it is*
* not in the pam_trusted_users list.*
As man pages says users with "UID 0 is always allowed..." I would expected
this refers users retrieved by SSSD, so that SSSD accept to retrieve users
with UID=0.
Unfortunately even adding "min_id = 0" in my sssd.conf SSSD refuse to show
uid=0 users.
In SSSD logs I have ldapserach filter shown as follow:
(&(cn=<username>)(objectclass=user)(cn=*)(&(uidNumber=*)*(!(uidNumber=0))*))
And somewhere I read this is by design that now SSSD refuses to allow users
with UID=0.
As all that is not too clear for me, where are we now, are users with UID=0
allowed or not?
Cheers,
mathias
Show replies by date