On Sun, Jan 24, 2016 at 05:03:22PM -0000, Eric Biggers wrote:
Yes, ad_gpo_map_interactive is the right one.
I understand that the Gnome and KDE display managers are already included in the hardcoded default list. My question was more along the lines of why sssd needs to have such a hardcoded list at all. It seems like a poor design as it will invariably create headaches for people who choose to use software that isn't in the default list, whether that is lightdm or something else. Would it be possible for services to identify themselves as "interactive" or not, rather than placing the responsibility on sssd?
I'm not sure how..in the end, it's the service that calls pam_service to select which PAM service configuration to use during the conversation..there's nothing preventing you to create a completely custom service of yours.
It would be nice to provide a configure-time option so that distributions that ship a different display manager by default could override the list of services sssd has compiled in.
And does the whole "interactive" vs "noninteractive" mechanism actually provide any real security?
It's not about security as much as about mapping Windows GPO logon rights to UNIX PAM services.