Nested member of ad_access_filter groups cannot log in the server

Solution Verified - Updated -

Issue

  • RHEL host server.example.com integrated directly with Active Directory via sssd, with access control via ad_access_filter option in /etc/sssd/sssd.conf.

  • Nested member of allowed groups examplegroup cannot log in the RHEL host server.example.com while the direct member of same group can log in.

    $ cat /etc/sssd/sssd.conf
[sssd]
config_file_version = 2
domains = example.com
services = nss, pam, ssh, sudo

[domain/example.com]
ad_domain = example.com
krb5_realm = EXAMPLE.COM
realmd_tags = manages-system joined-with-adcli
cache_credentials = true
id_provider = ad
krb5_store_password_if_offline = true
default_shell = /bin/bash
use_fully_qualified_names = false
fallback_homedir = /home/%u@%d
access_provider = ad
override_homedir = /home/%u
override_shell = /bin/bash
ad_access_filter = (memberOf=CN=examplegroup,OU=Groups,DC=example,DC=com)

Environment

  • Red Hat Enterprise Linux 7.9
  • Active Directory (AD)
  • SSSD

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content