On Sun, Jan 24, 2016 at 05:03:22PM -0000, Eric Biggers wrote: > Yes, ad_gpo_map_interactive is the right one. > > I understand that the Gnome and KDE display managers are already included > in the hardcoded default list. My question was more along the lines of > why sssd needs to have such a hardcoded list at all. It seems like a poor > design as it will invariably create headaches for people who choose to > use software that isn't in the default list, whether that is lightdm or > something else. Would it be possible for services to identify themselves > as "interactive" or not, rather than placing the responsibility on sssd?
I'm not sure how..in the end, it's the service that calls pam_service to select which PAM service configuration to use during the conversation..there's nothing preventing you to create a completely custom service of yours. It would be nice to provide a configure-time option so that distributions that ship a different display manager by default could override the list of services sssd has compiled in. > And does the whole "interactive" vs "noninteractive" mechanism actually > provide any real security? It's not about security as much as about mapping Windows GPO logon rights to UNIX PAM services. _______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/admin/lists/[email protected]
