My Oracle Support Banner

User Authentication by Active Directory + Group Policy Object via sssd Fails (Doc ID 2488362.1)

Last updated on APRIL 24, 2020

Applies to:

Linux OS - Version Oracle Linux 7.0 to Oracle Linux 7.6 [Release OL7 to OL7U6]
Linux x86-64

Symptoms

 User authorization with AD(Active Directory) + GPO(Group Policy Object) fails with the following messages in /var/log/messages:

Dec 11 18:06:19 hostname sshd[1425]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=127.0.0.1 user=kscadmin
Dec 11 18:06:19 hostname sshd[1425]: pam_sss(sshd:account): Access denied for user username: 4 (System error)
Dec 11 18:06:19 hostname sshd[1425]: Failed password for username from 127.0.0.1 port 40729 ssh2
Dec 11 18:06:19 hostname sshd[1425]: fatal: Access denied for user username by PAM account configuration [preauth]

In case "ad_gpo_access_control = permissive" in /etc/sssd/sssd.conf, any users can login via ssh but GPO is not applied.

In case "ad_gpo_access_control = enforcing" in /etc/sssd/sssd.conf, any users can not login with the error above.

 

Cause

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


In this Document
Symptoms
Cause
Solution


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.