On Tue, 24 Apr 2018, Joakim Tjernlund wrote:
Yes, but every now and then joining the domain or loosing the keytab during computer upgrade happens and then no one can login other than local root and that is impractical. Can one combine simple LDAP bind with xxx_provider=ad?
How often are you finding you're losing your keytab? If you update a machine, you shouldn't lose your keytab.
If you reinstall a machine, you should either preserve your keytab, or rejoin the domain as part of the install.
But for an installed system, I think you quickly reach a point where using krb5 for NFS/Samba or other services becomes highly desirable, and none of that flies unless you've got a local keytab.
There are other authentication methods you can use to access a machine remotely other than as root with a password when SSSD is in an unusable state.
Whether it's possible or not, I'd question whether you really want to go down that road.
jh