Recently have integrated 2 Linux VM's into our AD domain which went smoothy by following the realm article to join host into a domain.
My AD users are now able to log in to the Linux client however I've been struggling to restrict users and let only a specific (nested) group of admins to be able to log in.
Setting access_provider to simple method and filtering permitted group using simple_allow_groups =
My AD group is called Server Admin is resides in the group Admin Accounts so the FQDN would be
<domain.local\Admin Accounts\Server Admin.
Initially I thought the nested group would be the issue but I've created a test user in another principal group and same issue appeared.
[root@vtsanv01 ~]# realm list
permitted-groups: Server Admin
The /etc/sssd/sssd.conf looks like this:
domains = domain.local
config_file_version = 2
services = nss, pam
ad_domain = domain.local
krb5_realm = domain.local
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /home/%u@%d
ad_gpo_ignore_unreadable = True
access_provider = simple
simple_allow_groups = Server Admin
The nsswitch.conf file includes the following parameters:
passwd: files sss
shadow: files sss
group: files sss
hosts: files dns myhostname
bootparams: nisplus [NOTFOUND=return] files
services: files sss
netgroup: nisplus sss
automount: files nisplus sss
aliases: files nisplus
Furthermore, I've also considered and tried using ad_access_filter option, which is pretty good described on: https://docs.pagure.org/SSSD.sssd/design_pages/active_directory_access_control.html but same behaviour appears. Permision denied when my user(s) try to log in after configuring it.
There must be something dumb I'm missing but can't find it. Any help would be appreaciated.