Description of problem: HBAC can be configured to allow/deny specific services. A list of those services is needed.
Sumit, can you provide the list of services for HBAC, or the mechanism that sssd uses to determine the requested service?
The service is compared to the string that is returned by pam_get_item(pam_handle, PAM_SERVICE, &item) which is the same as the service name in the PAM configuration in /etc/pam.d/. So the filenames in /etc/pam.d are the service names. Please note that there are services which can have multiple service name, like e.g. su and su-l.
Sumit, here are those that I picked: sssd, ftp, su, login, su-l, sudo and sudo-i. Is this is enough to start with?
I think you mean sshd instead of sssd. Maybe adding gdm and/or gdm-password would make sense. The KDE folks would like kdm, too.
https://fedorahosted.org/freeipa/ticket/307
Ok, adding all three.
master: d76ead6ccea2b41d3cb603124860fb3f84d8e1cc