[systemd-devel] pam_systemd.so indirectly calling pam_acct_mgmt

Lennart Poettering lennart at poettering.net
Sat May 2 00:48:28 PDT 2015

On Fri, 01.05.15 08:29, Stephen Gallagher (sgallagh at redhat.com) wrote:

> Right, so based on this information, it seems to me that in SSSD we
> need to be treating the 'systemd-user' PAM service the same way we do
> the 'cron' service. The idea being that this is meant to handle
> actions performed *as* a user but not *by* a user (for lack of a
> better distinction).
> In the terms of how Microsoft Active Directory would treat it (and
> when we're using AD as the identity and authorization store), it
> should be handled as the [Allow|Deny]BatchLogonRight permission which
> is described by MS as:
> "This security setting allows a user to be logged on by means of a
> batch-queue facility.
> For example, when a user submits a job by means of the task scheduler,
> the task scheduler logs that user on as a batch user rather than as an
> interactive user."
> Does that seem to match everyone's expectation here?

Well, I guess for now. But note that eventually we hope to move most
programs invoked from .desktop into this as systemd services. This
then means that the actual sessions will become pretty empty, with
only stubs remaining that trigger services off this user instance of


Lennart Poettering, Red Hat

More information about the systemd-devel mailing list