On Sun, Jan 24, 2016 at 05:03:22PM -0000, Eric Biggers wrote:
Yes, ad_gpo_map_interactive is the right one.
I understand that the Gnome and KDE display managers are already included
in the hardcoded default list. My question was more along the lines of
why sssd needs to have such a hardcoded list at all. It seems like a poor
design as it will invariably create headaches for people who choose to
use software that isn't in the default list, whether that is lightdm or
something else. Would it be possible for services to identify themselves
as "interactive" or not, rather than placing the responsibility on sssd?
I'm not sure how..in the end, it's the service that calls pam_service to
select which PAM service configuration to use during the
conversation..there's nothing preventing you to create a completely
custom service of yours.
It would be nice to provide a configure-time option so that
distributions that ship a different display manager by default could
override the list of services sssd has compiled in.
And does the whole "interactive" vs
"noninteractive" mechanism actually
provide any real security?
It's not about security as much as about mapping Windows GPO logon
rights to UNIX PAM services.