General Platform Notes | ThinLinc by Cendio

The following information relates to installation of ThinLinc on most platforms. Make sure to also read the pages specific to your specific platform.

Web Access and Active Directory

Modern versions of sssd will attempt to respect the Group Policy of the Active Directory domain it is part of. Unfortunately this causes third party software such as ThinLinc to be prevented from authenticating users. Lines such as the following will be seen in the system log files:

Mar  8 15:13:51 ubuntu1604 pamtester: pam_sss(thinlinc:account): Access denied for user johndoe: 6 (Permission denied)

To remedy this sssd must be configured to either ignore the Group Policy, or to recognize ThinLinc as an approved service. Add the following to the relevant domain section of /etc/sssd/sssd.conf to completely ignore the Group Policy:

ad_gpo_access_control = disabled

Or add the following to mark ThinLinc as a remote desktop service:

ad_gpo_map_remote_interactive = +thinlinc

Note that the native ThinLinc client is unaffected as it uses the system's standard SSH server for authentication.