The other day I experience the SSSD outage. I do not know exactly how it go in that state I was just working remotely over the VPN and then left the computer on. The screen locked but VPN probably dropped at some point. When I tried to unlock my account was not recognized. The SSD restart did not help so I checked the log. It reported that there are no cached credentials for me. May be the cache database got corrupt or something... Well, things happen. So how I recover from this situation being remote.
I need to log as root, establish VPN connection and authenticate as myself for the creds to be cached again. I user RHEL so I was able to login as root into UI and use a preconfigured VPN client. If I were on Fedora or root did not have a VPN configured I would have been in trouble. Since we can't rely on the VPN being configured or even possible to establish (may be I do not have access at all but need to work offline) would be nice to have a way to seed the cache being root from the command line for the user I need.
I envision it as a command:

sssd_seed --restore --domain=default --user=dpal --password=foo

This will restore the cred cache for the user allowing him to log offline.
This would help a laptop user to easily restore offline cache without dealing with VPN.

Also an alternative would be to do the same thing through the PAM conversation.
Say I do not have a cred cache for user foo for whatever reason (bug, upgrade went wrong, database corruption, user never logged in, the cache got wiped out by mistake, etc.).
User tries to authenticate, SSSD detects that there is no valid cred cache for this user but SSSD configured to cache creds. Then SSSD would prompt user for root password. If the user knows root password and enters it correctly the SSSD then would prompt for the user password and then prompt again to confirm it. If password matches it would save it in the cache and let the user in. This way even inexperienced user would be able to seed his SSSD cred cache without all this VPN overhead.