On Fri, 26 Sep 2014 13:44:56 +0200
Joakim Tjernlund <[email protected]> wrote:

> I see this the other way, SSSD has little to no technical reason to
> deny an AD root user.

SSSD denies access to any 'root' or uid = 0 users from any domain
regardless of type.
The technical decision was made when we started the project to avoid
causing issues recovering a machine should sssd misbheave. By not
handling the root user we cannot break the root user login.

> It is just an "architectural decision" and best practice
> enforced with no way out.

Indeed, there is no way out, and SSSD internals make it impossible to
easily fix as uid=0 is considered an invalid uid throughout all the
caching layer.

Sorry it does not meet your expectations, but this is how it works.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York
_______________________________________________
sssd-users mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/sssd-users

Reply via email to