On Fri, 26 Sep 2014, Joakim Tjernlund wrote:
Possibly one can do that, but this is just a bad workaround for a bad assumption in SSSD, namly that there can not be any system out there who would like to auth "root" with SSSD.
You're a corner case that goes against normal practice, so any workaround is fine, however grim. You can use .k5login/ssh keys/sudo and get to a better place than you're aiming for with this solution, and you don't have to modify sssd and pam to work in non standard, and most likely non-LSB compliant ways to make it work.
jh