Simo Sorce wrote on 2014/09/26 18:34:56:
>
> On Fri, 26 Sep 2014 13:44:56 +0200
> Joakim Tjernlund wrote:
>
> > I see this the other way, SSSD has little to no technical reason to
> > deny an AD root user.
>
> SSSD denies access to any 'root' or uid = 0 users from any domain
> regardless of ty
On Fri, 26 Sep 2014 13:44:56 +0200
Joakim Tjernlund wrote:
> I see this the other way, SSSD has little to no technical reason to
> deny an AD root user.
SSSD denies access to any 'root' or uid = 0 users from any domain
regardless of type.
The technical decision was made when we started the proje
On Fri, 26 Sep 2014, Joakim Tjernlund wrote:
Possibly one can do that, but this is just a bad workaround for a bad
assumption in SSSD, namly that there can not be any system out there who
would like to auth "root" with SSSD.
You're a corner case that goes against normal practice, so any workar
On Fri, 26 Sep 2014, Joakim Tjernlund wrote:
Why is it so hard to keep me on CC? Some list setting which makes
this easy to forget?
Because the list is well configured with a reply-to set to the list.
If you want to be part of a list, why not just join the list for the period
you want t
>> Lets get this straight, you have a user called 'root' in /etc/passwd
>>> and another user called 'root' in AD, is this correct ???
>>
>> You should name your central user something else. SSSD will
deliberately
>> not authenticate root because root should be authenticated by pam_unix.
>>
>Hi
>Ho
>> Don't quite follow here. I do have a local root user in passwd/shadow
with
>> a
>> local pw as required by any UNIX I know. I also have a AD root account.
>
>Lets get this straight, you have a user called 'root' in /etc/passwd and
>another user called 'root' in AD, is this correct ???
Yes
PS
Dmitri Pal wrote on 2014/09/26 13:11:38:
>
> On 09/26/2014 06:52 AM, Joakim Tjernlund wrote:
> Don't quite follow here. I do have a local root user in
passwd/shadow
> with
> a
> local pw as required by any UNIX I know. I also have a AD root
> > account.
> >>> Lets get this st
>>> Don't quite follow here. I do have a local root user in passwd/shadow
>>> with
>>> a
>>> local pw as required by any UNIX I know. I also have a AD root
account.
>>
>> Lets get this straight, you have a user called 'root' in /etc/passwd
>> and another user called 'root' in AD, is this correct
On 09/26/2014 06:52 AM, Joakim Tjernlund wrote:
Don't quite follow here. I do have a local root user in passwd/shadow
with
a
local pw as required by any UNIX I know. I also have a AD root
account.
Lets get this straight, you have a user called 'root' in /etc/passwd
and another user called 'root
On 26/09/14 11:48, Joakim Tjernlund wrote:
Don't quite follow here. I do have a local root user in passwd/shadow
with
a
local pw as required by any UNIX I know. I also have a AD root account.
Lets get this straight, you have a user called 'root' in /etc/passwd and
another user called 'root' in
On Fri, 26 Sep 2014, steve wrote:
Doesn't work here. Maybe it needs pam_krb5?
Works here just fine, but I presume you need GSSAPI enabled in sshd_config,
since this'll get handled before PAM gets involved won't it?
jh
___
sssd-users mailing list
sss
On 25/09/14 23:43, Nordgren, Bryce L -FS wrote:
Has anyone mentioned dropping a .k5login file in root's home directory?
http://web.mit.edu/kerberos/krb5-devel/doc/user/user_config/k5login.html
Doesn't work here. Maybe it needs pam_krb5?
___
sssd-u
> Hi
> How about deleting the user called root in AD, choosing another domain user
> called adroot. Then use:
> username map = /some/file
> to make adroot map to root in /some/file?
>
> adroot is now a domain user with uid 0
> HTH,
> Steve
Has anyone mentioned dropping a .k5login file in root's ho
On 25/09/14 20:36, Dmitri Pal wrote:
On 09/25/2014 02:27 PM, Rowland Penny wrote:
On 25/09/14 17:26, Joakim Tjernlund wrote:
Stephen Gallagher wrote on 2014/09/25 17:36:08:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 09/25/2014 11:01 AM, John Hodrien wrote:
On Thu, 25 Sep 2014, Joakim
On 09/25/2014 02:27 PM, Rowland Penny wrote:
On 25/09/14 17:26, Joakim Tjernlund wrote:
Stephen Gallagher wrote on 2014/09/25 17:36:08:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 09/25/2014 11:01 AM, John Hodrien wrote:
On Thu, 25 Sep 2014, Joakim Tjernlund wrote:
Yes, it is "my" job
On 25/09/14 17:26, Joakim Tjernlund wrote:
Stephen Gallagher wrote on 2014/09/25 17:36:08:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 09/25/2014 11:01 AM, John Hodrien wrote:
On Thu, 25 Sep 2014, Joakim Tjernlund wrote:
Yes, it is "my" job, not sssd's. Currently sssd dictate that no
s
Stephen Gallagher wrote on 2014/09/25 17:36:08:
>
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> On 09/25/2014 11:01 AM, John Hodrien wrote:
> > On Thu, 25 Sep 2014, Joakim Tjernlund wrote:
> >
> >> Yes, it is "my" job, not sssd's. Currently sssd dictate that no
> >> system ever should b
--Original Message-
From: sssd-users-boun...@lists.fedorahosted.org [mailto:sssd-users-
boun...@lists.fedorahosted.org] On Behalf Of Stephen Gallagher
Sent: Thursday, September 25, 2014 9:36 AM
To: End-user discussions about the System Security Services Daemon
Cc: Joakim Tjernlund
Subject: Re: [SSSD-use
users-boun...@lists.fedorahosted.org [mailto:sssd-users-
> boun...@lists.fedorahosted.org] On Behalf Of Stephen Gallagher
> Sent: Thursday, September 25, 2014 9:36 AM
> To: End-user discussions about the System Security Services Daemon
> Cc: Joakim Tjernlund
> Subject: Re: [SSSD-user
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 09/25/2014 11:01 AM, John Hodrien wrote:
> On Thu, 25 Sep 2014, Joakim Tjernlund wrote:
>
>> Yes, it is "my" job, not sssd's. Currently sssd dictate that no
>> system ever should be allowed to login as root, no matter what.
>
> SSSD dictates that
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 09/25/2014 10:01 AM, John Hodrien wrote:
> On Thu, 25 Sep 2014, Joakim Tjernlund wrote:
>
>>> is, which is why ssh provides the option:
>>>
>>> AllowRoot without-password
>>
>> Why would I want to enable that?
>
> Because it's more secure than t
On Thu, 25 Sep 2014, Joakim Tjernlund wrote:
Yes, it is "my" job, not sssd's. Currently sssd dictate that no system
ever should be allowed to login as root, no matter what.
SSSD dictates that no system should be allowed to login as root via SSSD, and
that's not quite the same. You're a corner
On Thu, Sep 25, 2014 at 03:46:14PM +0200, Joakim Tjernlund wrote:
> Still, I don't see how the above somehow documents sssd's
> "no root login whatsoever" policy. The docs actually hints the
> opposite:
> filter_users, filter_groups (string)
> Exclude certain users from being fetched from the sss
Michael Ströder wrote on 2014/09/25 15:25:03:
>
> Joakim Tjernlund wrote:
> >> Joakim Tjernlund wrote:
> >>> How is local root pw any different than domain pw? In your view
remote
> >>> root access is a big nono so sssd should also enforce no remote root
> > login in
> >>> that case.
> >>
>
>Joakim Tjernlund wrote:
>> How is local root pw any different than domain pw? In your view remote
>> root access is a big nono so sssd should also enforce no remote root
login in
>> that case.
>
>Yes, remote root password is a big no-no. Because it would be effective
on all
>systems at once ci
John Hodrien wrote on 2014/09/25 15:06:16:
>
> On Thu, 25 Sep 2014, Joakim Tjernlund wrote:
>
> > John Hodrien wrote on 2014/09/25 11:22:52:
>
> > How is local root pw any different than domain pw? In your view remote
root
> > access is a big nono so sssd should also enforce no remote root lo
On Thu, 25 Sep 2014, Joakim Tjernlund wrote:
is, which is why ssh provides the option:
AllowRoot without-password
Why would I want to enable that?
Because it's more secure than the default of allowing root logins with
password remotely. But forget it, it's not entirely ontopic, as I'd part
Joakim Tjernlund wrote:
>> Joakim Tjernlund wrote:
>>> How is local root pw any different than domain pw? In your view remote
>>> root access is a big nono so sssd should also enforce no remote root
> login in
>>> that case.
>>
>> Yes, remote root password is a big no-no. Because it would be eff
On Thu, 25 Sep 2014, Joakim Tjernlund wrote:
John Hodrien wrote on 2014/09/25 11:22:52:
How is local root pw any different than domain pw? In your view remote root
access is a big nono so sssd should also enforce no remote root login in
that case. I have no problem using local root pw when
Joakim Tjernlund wrote:
> How is local root pw any different than domain pw? In your view remote
> root access is a big nono so sssd should also enforce no remote root login in
> that case.
Yes, remote root password is a big no-no. Because it would be effective on all
systems at once circumventi
On 25/09/14 12:15, Joakim Tjernlund wrote:
John Hodrien wrote on 2014/09/25 11:22:52:
On Thu, 25 Sep 2014, Joakim Tjernlund wrote:
Because as an admin I need to login on users boxes to fix stuff they
broke.
Sometimes su/sudo are not setup/broken too.
If your goal is to have the same root
John Hodrien wrote on 2014/09/25 11:22:52:
>
> On Thu, 25 Sep 2014, Joakim Tjernlund wrote:
>
> > Because as an admin I need to login on users boxes to fix stuff they
broke.
> > Sometimes su/sudo are not setup/broken too.
> >
> >>
> >> If your goal is to have the same root password across an en
On Thu, 25 Sep 2014, Joakim Tjernlund wrote:
Because as an admin I need to login on users boxes to fix stuff they broke.
Sometimes su/sudo are not setup/broken too.
If your goal is to have the same root password across an enterprise, I
recommend something like Puppet or Ansible.
How does th
>On Wed, Sep 24, 2014 at 06:57:54PM +0200, Joakim Tjernlund wrote:
>> Trying to figure how to setup sssd to allow me to ssh into another box
as
>> root using the domain root passwd.
>
>It's not possible by design, SSSD explicitly drops all requests for
>either root or UID 0. root is really a mach
On Thu, 25 Sep 2014, Jakub Hrozek wrote:
If your goal is to have the same root password across an enterprise, I
recommend something like Puppet or Ansible.
If the goal is to let users administer machines, then storing sudo rules
in LDAP is the best way forward.
I'm entirely in agreement with
On Wed, Sep 24, 2014 at 06:57:54PM +0200, Joakim Tjernlund wrote:
> Trying to figure how to setup sssd to allow me to ssh into another box as
> root using the domain root passwd.
It's not possible by design, SSSD explicitly drops all requests for
either root or UID 0. root is really a machine-loc
Trying to figure how to setup sssd to allow me to ssh into another box as
root using the domain root passwd.
Nothing I tried lets me do that so could someone please give me an example
config which
lets root in with domain passwd?
Jocke
___
sssd-users
37 matches
Mail list logo
