All,
This is not a big deal -- just curious.
We have a commercial Linux AD integration product. In it, the incoming
user's authorization to log in is validated during the PAM "authentication"
phase. So if it's a legal AD user and good password, but that user is not
authorized in -- you're returned to the "login name: / password:" prompt.
In sssd, it appears that validating if you're a legally-authorized user or
in a legally-authorized group occurs in the PAM "account" phase. It's done
by the "simple" access_provider.
Consider again a legal AD user and good password, but again -- that user is
not authorized in.
Now that user name is accepted, that password is accepted, but then the
server closes your putty session. You're not returned to a "login name: /
password:" prompt.
Like I say -- not a big deal. Unauthorized users are intercepted and
disallowed, just in different ways. Just curious if there's a way to make
sssd fail in the former manner, instead of the latter.
Spike White