Unable to restrict AD groups to log in to RHEL 7.7

Latest response


Recently have integrated 2 Linux VM's into our AD domain which went smoothy by following the realm article to join host into a domain.
My AD users are now able to log in to the Linux client however I've been struggling to restrict users and let only a specific (nested) group of admins to be able to log in.

Setting access_provider to simple method and filtering permitted group using simple_allow_groups =

My AD group is called Server Admin is resides in the group Admin Accounts so the FQDN would be
<domain.local\Admin Accounts\Server Admin.
Initially I thought the nested group would be the issue but I've created a test user in another principal group and same issue appeared.

[root@vtsanv01 ~]# realm list
type: kerberos
realm-name: domain.local
domain-name: domain.local
configured: kerberos-member
server-software: active-directory
client-software: sssd
required-package: oddjob
required-package: oddjob-mkhomedir
required-package: sssd
required-package: adcli
required-package: samba-common-tools
login-formats: %U
login-policy: allow-permitted-logins
permitted-groups: Server Admin

The /etc/sssd/sssd.conf looks like this:

domains = domain.local
config_file_version = 2
services = nss, pam

ad_domain = domain.local
krb5_realm = domain.local
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /home/%u@%d
ad_gpo_ignore_unreadable = True
access_provider = simple
simple_allow_groups = Server Admin

The nsswitch.conf file includes the following parameters:
passwd: files sss
shadow: files sss
group: files sss

hosts: files dns myhostname

bootparams: nisplus [NOTFOUND=return] files

ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files sss

netgroup: nisplus sss
publickey: nisplus
automount: files nisplus sss
aliases: files nisplus

Furthermore, I've also considered and tried using ad_access_filter option, which is pretty good described on: https://docs.pagure.org/SSSD.sssd/design_pages/active_directory_access_control.html but same behaviour appears. Permision denied when my user(s) try to log in after configuring it.

There must be something dumb I'm missing but can't find it. Any help would be appreaciated.


Hi Even I am facing same issue. Needs to know where to look and how to rectify the same.